Forum Discussion

Pontus T's avatar
Pontus T
Iron Contributor
Jul 22, 2020

Azure AD conditional access for Edge profile sign in

Hi Insiders! I hope this is the right channel for posting.

 

I cannot find details on how to configure an Azure AD conditional access policy (or something else) that prevents users from signing in to Edge (profile), using their corporate accounts, from unmanaged devices. Do you happen to know how to configure this?

 

I expect Edge conditional access to be available as it is a no-brainer. With new Edge, an account compromise has a lot higher impact as it will grant access to password manager, credit card details and form fills saved to the cloud profile, rather than the Windows credential manager (which was the case with legacy Edge). Not really sure why Microsoft is not communicating this new major risk factor unless I have missed something.

 

Without a way of blocking, a malicious actor can simply sign in to a compromised account from a random device's Edge client, and get access to all the saved passwords, history, favourites, credit cards, etc. This also often includes user's personal credentials and details that they save when prompted.

 

Setting a AAD conditional access policy that has "all cloud apps" selected, as well as all options under "client apps", with the condition to "Grant" access, but "Require Azure AD Joined device", does not block sign in to Edge from a personal device. I guess that Edge is not seen as a "cloud app", but at the same time, the sign in is to a cloud profile, and the sync is connected with AIP, which in turn is part of cloud apps.

 

I am currently stopping the sync in the pilot deployment using MEM policy. This helps somewhat, but blocking sync is not possible on the iOS app as far as I know. So passwords saved via mobile can still be compromised. In addition, I want to use sync to make the PC/mobile experience seamless. But activating sync is a huge risk unless I can block sign in completely as needed.

 

Hope I have just missed something as I would not expect any enterprise or security conscious customers to implement Edge without this in place.

 

Thank you for your help!

  • Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.

     

    What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.

     

    So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:

     

    Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)

    Cloud apps or actions = "All cloud apps"

    • If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.

    Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).

    Grant = "Grant access" > "Require Hybrid Azure AD joined device"

     
    Hope this can help other lost souls! Thanks
  • Pontus T's avatar
    Pontus T
    Iron Contributor

    Sorry guys, I was a bit trigger happy with reaching out to the community! I have found the fix myself.

     

    What I had missed was that the "Browser" option under "Client apps (preview)" was not sufficient as it does not include Modern Auth. When I added "Desktop and client apps" > "Modern authentication clients", the conditional access worked as expected.

     

    So to prevent malicious sign-ins, as well as users from accessing their corporate Edge accounts on personal devices, the below policy settings will work. Tested on Windows 10, MacOS Catalina and iOS:

     

    Users and groups = select as needed (make they all have AAD P1 to comply with license requirements)

    Cloud apps or actions = "All cloud apps"

    • If someone know which cloud app is used for the Edge condition, please let me know. I have tried to do AIP only as it is used for sync but that doesn't work. The audit log refers to "Microsoft Activity Feed Service" and "Microsoft Graph" as the "Resource", but they are not available to select in the condition. "All cloud apps" that might not work for some organisations.

    Conditions > Client apps (Preview) = Select "Browser" and "Mobile apps and desktop clients" > "Modern authentication clients" (recommended to also select the other ones for non-modern auth protection).

    Grant = "Grant access" > "Require Hybrid Azure AD joined device"

     
    Hope this can help other lost souls! Thanks
    • RafaelVieira80's avatar
      RafaelVieira80
      Copper Contributor

      Pontus T This is great however this will block all acess to O365/Azure from unmanaged devices.

      In a BYOD scenario, for instance for Sharepoint online, users will not be able to acess anything shared with them, unless you force users to register their devices within your organization.
      if they have the devices already being managed by other orgs you will not be able to do it.

    • JPCunningham's avatar
      JPCunningham
      Copper Contributor

      Pontus T We had the same requirement.  I see you can select Office 365 discretely to include/exclude.  Did you ever narrow this down from "all cloud apps"?

  • JasonRUK's avatar
    JasonRUK
    Copper Contributor
    Hi,
    Think I've cracked this one for you - if you scope the CA policy to
    "Common Data Service
    00000007-0000-0000-c000-000000000000"

    Then Edge logins from personal devices are being blocked.
    I have a policy scoped to a single user and this single application with a requirement to be domain joined. I am not able to log into Edge, but I can still log into 365 via a browser session.
    • Hap's avatar
      Hap
      Brass Contributor
      That is pretty cool, but how about the other way around. We want a compliant device for all access, except for Edge sync. I'm hesitant to exclude "Common Data Service 00000007-0000-0000-c000-000000000000" from the policy that has the device compliancy grant, as this cloud app seems very generic and is probably used for more than just Edge sync functionality?
      • Johannes Goerlich's avatar
        Johannes Goerlich
        Brass Contributor
        Hi all,
        it seems this gap can now also be closed by leveraging the https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service which allows to configure Microsoft Edge browser settings depending on the Microsoft Entra group of the signed-in work account and not based on whether the device is managed or not.
        I couldn't look into this in detail but maybe there is the possibility to disable sync of passwords, credit cards, addresses etc.
        Kelly_Y do you know whether this is feasible?

Resources