I'm looking for insights from those who manage Entra ID and Conditional Access within enterprise environments. Our company uses Entra-backed Single Sign-On (SSO) for many internal applications, as well as for external tools like Jira and Microsoft services. Recently, we've noticed that after tightening our Entra and Conditional Access policies, developers using macOS can now only access SSO through Edge. Other browsers like Firefox, Brave, Safari, and Vivaldi don't work because they fail to present the device as registered or compliant in these environments. IT maintains that these restrictions are due to the need for enhanced device identity and token handling, which are only fully supported in specific browsers on macOS. While I understand the security perspective, my concern lies more on the operational side – limiting browser options makes it difficult for web development and QA teams to test applications across different browsers that are being protected by Entra. I'm curious to know if others are facing similar situations. Is it common for enterprises to enforce such policies, and is it justified? Are developer exceptions being made, or viewed as too risky? Additionally, how do teams handle browser compatibility testing under these constraints? Does this policy seem like a reasonable security measure or more like unnecessary complexity that hampers engineering efforts?
1 Answer
It's becoming pretty standard to restrict browser choices like this. If developers truly need to use multiple browsers, it might be worth discussing with IT about setting them apart from those rules. Just remember, IT's main responsibility isn’t to make life easier for developers, unfortunately!
Should we be excluding the browser or the users from the restrictions?