I'm facing a tricky issue with Conditional Access (CA) while trying to manage access to Office 365 web portals. Specifically, I want to block access from any unmanaged devices, but my managed Windows devices are being blocked too because they're showing up as 'Unknown' in the CA sign-in logs. Here's a bit more detail:
- I've set the policy to block unmanaged devices.
- I'm using a device filter that should exclude Azure AD Joined, Hybrid AD Joined, and Intune-compliant devices, set up as: `device.trustType -eq "AzureAd" -or device.trustType -eq "ServerAd" -or device.isCompliant -eq True`.
- Despite this setup, users trying to access Office.com from browsers like Google Chrome are still getting blocked.
- In the CA logs, their devices show as 'Unknown', even though the workstations are correctly Azure AD Joined and have valid Primary Refresh Tokens (PRT); they just aren't Workplace Joined.
What I'm hoping to achieve is to:
- Block all unmanaged devices
- Allow Azure AD Joined, Hybrid Joined, and Intune-compliant devices access to O365 web portals
- Prevent any personal devices (BYOD) from accessing these portals.
Has anyone encountered similar issues where CA policies ignore device filters or where devices appear as Unknown despite the correct join and PRT state? Any suggestions on what might cause this blockage despite having the exclude filter set up? I'd really appreciate any insights since I seem to be missing something in the CA evaluation order.
3 Answers
Instead of blocking unmanaged devices directly, you could flip the approach and include your target devices. I’ve resolved issues with CA policies by reversing the logic, even when it seemed counterintuitive. Sometimes a fresh approach can clear things up!
Good point! Just remember, when using Chrome, it’s crucial to add that Windows single sign-on extension to allow accurate metrics to flow through the browser.
Have you considered whether this might work better with Edge? Also, did you deploy the MS SSO extension for Chrome? That might help out too!
The extension isn't strictly necessary anymore with Chrome 111, but you do have to enable that CloudAPAuthEnabled policy. It definitely simplifies deployment using GPO or Chrome Cloud Policy.
It sounds like you’re dealing with a known issue with Chrome. It doesn’t always correctly report the status back to Conditional Access, which might be why you're seeing that 'Unknown' status. You could try switching to Edge, which handles this better. If you stick with Chrome, consider installing the Microsoft Single Sign-On extension; it doesn’t require users to interact with it, just needs to be there. Also, there's a policy you can enable via GPO to help improve this situation. Here's a link for reference: [Chrome Enterprise Policy List](https://chromeenterprise.google/policies/#CloudAPAuthEnabled). Let me know how it goes!
I’ve found that the setting really works well. We deploy it through Intune and it’s listed as "Allow automatic sign-in to Microsoft® cloud identity providers" in the settings catalog.
In this case, that’s not an option. The correct method is indeed to exclude the unmanaged devices, but it seems there’s a glitch with the device identity being transmitted back.