Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
January 27, 2021October 2, 2021

Browser restrictions and configuration when using Conditional Access on your modern workplace

This article is about a subject I covered before in my blogpost titled: “Understanding and governing reauthentication settings in Azure Active Directory“. The reason I’m doing a more specific article on the subject is because I see a lot of issues when it comes to browser configuration which must be solved if you want to implement Conditional Access and use compliance as a way to grant access the environment.

Even though you are working in the browser on a compliant device, doesn’t necessarily mean that Azure AD can detect that. Therefore you must make sure that your browsers are configured correctly before you implement the Conditional Access policy. For an overview of my recommended set of Conditional Access policies see: Conditional Access demystified: My recommended default set of policies

Some examples I often encounter: End user is working on a compliant device, but cannot download or print files when using the web interface to connect to SharePoint online, this is caused by the App Enforced Restrictions policy being active (see: Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions). Or, MCAS blocks the download of a file, even though the user is working on a compliant device. (see: Extending Conditional Access to Microsoft Cloud App Security using Conditional Access App Control)

Browser support

This all has to do with browser support and configuration, below is an overview of the requirements and what is, and what’s not supported. Currently Microsoft supports the following browsers:

os 
Windows 10 
Windows 8 / 8.1 
Windows 7 
iOS 
Android 
Windows Phone 
Windows Server 2019 
Windows Server 2016 
Windows Server 2012 R2 
Windows Server 2008 R2 
macOS 
Browsers 
Microsoft Edge, Internet Explorer, Chrome 
Internet Explorer, Chrome 
Internet Explorer, Chrome 
Microsoft Edge, Intune Managed Browser, Safari 
Microsoft Edge, Intune Managed Browser, Chrome 
Microsoft Edge, Internet Explorer 
Microsoft Edge, Internet Explorer, Chrome 
Internet Explorer 
Internet Explorer 
Internet Explorer 
Chrome, Safari

Sign-in Logging

When users are using a non-supported configuration, this might reflect as followed in the Azure AD sign-in logging. As you can see the Conditional Access policy requires a compliant device before access to the resource can be given. And in this case, our test user Ferry was working on a compliant device (you have to take my word for it).

Mozilla FireFox

Mozilla Firefox isn’t a supported browser when it comes to Conditional Access. If you configure a conditional access policy enforcing App Enforced Restrictions for example, you will experience these restrictions even when working on a compliant device. Keep in mind that there are also other browsers who use the Mozilla engine, like Tor Browser, Waterfox, and SeaMonkey to name a few. All these browsers will not work in this scenario.

Update October 2021: Mozilla FireFox is now supported, read the article below for more information

Using Mozilla Firefox as a browser when using Azure AD Conditional Access on your Modern Workplace

Google Chrome

In order for the Google Chrome browser to support the device authentication you must deploy the Windows 10 accounts extension in the Chrome browser to your devices. You’ll need this extension if you want to use the device compliancy within your Conditional Access policies.

Chrome We b St 
Windows 10 Accounts

Deploying extensions for Google Chrome using Microsoft Endpoint Manager

You can configure the Google Chrome browser running on a Intune/MEM managed Windows 10 device by using a Configuration Profile with a custom profile type.

In order for this to work, we first need to download the Google Chrome Bundle. Within that bundle you can find a folder called ADMX. From that folder you’ll need the chrome.admx file. Within the ADMX file we will use the ExtensionInstallForceList parameter to define the extensions we want to have installed.

(policy 
displayName="$(string.ExtensionInsta11Force1ist)" 
name=" ExtensionInsta11Force1ist" 
explainText="$(string. ExtensionInsta11Force1ist Explain)" 
presentation= " $ (presentation . Extensionlnstall Forcelist) " > 
<parentCategory ref="Extensions"/> 
<supportedon 
(elements> 
(list id="ExtensionInsta11Force1istDesc" 
</elements> 
/ poli 
cies \ Google \ Ch rome\ExtensionInsta11 Force list " 
val uePrefix= " " / >

Secondly we must determine the unique identifiers for the extension(s) we want to install. You can determine this by browsing to the chrome web store. From the chrome web store we need the Windows 10 Accounts extension, which at time of writing has the following id:”ppnbnpeolgkicgegkbkbjmhlideopiji” make sure that if you are configuring this yourself to doublecheck whether the id still matches.

Windows 10 Accounts - Chrome X + 
C t https://chrome.google.com/webstore/detail/Wind0WS-lO-aCCOL•lntS/2.e.22.!2.e..:.2.!2.2E.2.2.!:.k.u.22.2.U:E22L7hl 
You can now add extensions from the Chrome Web Store to Microsoft Edge - Click on 'Add to Chrome'. 
e chrome web store 
Home > Extensions > Windows 10 Accounts 
Windows 10 Accounts 
Offered by: Microsoft 
• 10,000.000+ users 
397 Productivity 
=en-US 
00 
9 
Sign in 
Add to Chrome 
Overview 
Reviews 
Related 
Instantly access accounts added to Windows 
without re-entering user credentials 
Before 
Microsoft 
After

After downloading the ADMX file and figuring out which extensions we want to install by their ID in the chrome web store we can define our Configuration Policy.

First make sure that the custom policy ingests the ADMX file, use the following OMA-URI settings to configure this:

Name: Chrome ADMX Ingestion (can be any name, but make it easy to understand what it does)

Description: <Your description if you prefer>

OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx

Data type: String

Value: Copy/Paste here the contents of the ADMX file.

Edit Row 
Ct. EVX 
Not 
Sri 
87.028015--
Chrome ADMX Ingestion

Secondly we can define the setting we want to make as defined in the ingested ADMX file. Be very careful here.

Name: ExtensionInstallForcelist (can be any name, but make it easy to understand what it does)

Description: <Your description if you prefer>

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist

Data type: String

Value: <enabled/> <data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx”/>

In the example above I also install another extension (The Microsoft Defender Browser Protection) as you can see the value must be carefully composed.

First of all, the ExtensionInstallForceList will eventually end up as a REG_MULTISZ registry string. Which means that each entry must be separated by the Unicode character 0xF000 (or &#xF000; when encoded). You can also see that the URL https://clients2.google.com/service/update2/crx is being used. That URL is needed in order for the browser to determine the download path once its ready to download the extension. Each extension is also numbered, so the Windows 10 Accounts extension is number 1 and the Microsoft Defender Browser Protection extension is number 2. If you want to add more use 3, 4, etc…

ExtensionInstalForceList

Once configured assign the policy to a group and you verify whether the necessary extensions are installed within the Google Chrome browser.

Microsoft Edge

Microsoft Edge obviously supports device authentication, but whether this is being used is depending on the profile you are signed into. When you’re signed into a Microsoft Edge profile with enterprise Azure AD credentials, Microsoft Edge allows seamless access to enterprise cloud resources protected using Conditional Access. On a compliant device, the identity accessing the resource should match the identity on the profile. See: Accessing Conditional Access protected resources in Microsoft Edge for more information.

If you want to configure this sign-in for your devices you can use two settings using a Configuration Profile with an Administrative Template.

The first setting we must modify is the “Browser sign-in settings”, make sure that the setting is enabled, and that the option “Force users to sign-in to use the browser” is selected.

Browser Sign-in Settings

The second setting we must modify is called: “Configure whether a user always has a default profile automatically signed in with their work or school account”. Make sure that this setting is enabled.

Configure whether a user always has a default profile automatically signed in with their work or school account

Finish the Configuration Profile and assign it to a group of your choosing.

On a sidenote, installing extensions in Microsoft Edge is much easier, since it’s also part of the Administrative Templates, search for  “Control which extensions are installed silently” and just supply the unique id or more in a list.

Extensions

Conclusion

Before rolling out Conditional Access make sure that you have configured the browsers on your Modern Workplace to support your Conditional Access scenario’s. Also make sure that you explain to your users which browsers can be used for what scenario. In the end it shouldn’t matter if they use non-standard browsers, as long as they are aware of the consequences.

Tweet
Follow me
Tweet #WPNinjasNL

4 thoughts on “Browser restrictions and configuration when using Conditional Access on your modern workplace”

  1. Nuttykind says:
    May 12, 2021 at 1:16 am

    Hi there,
    Thanks for a great article this really helped on the Windows side with Chrome installing the extension.
    Does this apply to Chrome on Mac, as the issue we are seeing on the Macs is Chrome is prompting to choose the certificate from the keychain the first time you go to outlook on the web.
    I was wondering if there’s a way to auto select the certificate so our users on corp Macs dont have to.
    Thanks

    Reply
  2. Pingback: Using Mozilla Firefox as a browser when using Azure AD Conditional Access on your Modern Workplace | Modern Workplace Blog
  3. Pingback: Using Mozilla Firefox as a browser when using Azure AD Conditional Access on your Modern Workplace - Tech Daily Chronicle
  4. Jan says:
    February 28, 2022 at 2:48 pm

    For anyone struggling with implementation, when copying the sring value for ExtensionInstallForcelist policy, be sure to check if your quotation marks have correct format. ( ” ) is the correct one, but when copying, it will be replaced by ( ” ), which is not correct.
    I spent 5 hours figuring this out today, so I hope that this will be useful for others.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Insight24

Founding member of:

Recent Posts

  • Speaking about Mobile Application Management at the Techorama Belgium 2022 event
  • Speaking about implementing Microsoft Endpoint Manager for Operations and Mobile Application Management at the Microsoft 365 Virtual Marathon 2022 event
  • Apple Business Manager device import options for later use within Microsoft Endpoint Manager
  • Connecting Microsoft Endpoint Manager to Apple Business Manager
  • Setting up Apple Business Manager for use with Azure Active Directory

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (41)
  • Azure (3)
  • AzureAD (58)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (44)
  • Configuration Manager (24)
  • Events (8)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (15)
  • Licensing (2)
  • Microsoft Endpoint Manager (33)
  • Mobile Application Management (1)
  • Modern Workplace (64)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (3)
  • Role Based Access Control (2)
  • Security (46)
  • Service Manager (4)
  • Speaking (19)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (29)

Tags

#AzureAD #community #conditionalaccess #Intune #m365 #MEM #modernworkplace #security #webinar #wmug_nl Applications ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2007 ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing MCAS MDT Modern Workplace Office 365 OSD PIM policies Policy Sets Presentation RBAC roles Security Service Manager SSP System Center Task Sequence troubleshooting webinar Windows 10 WMUG

Recent Comments

  • azure ad b2c - How AzureAD knows that device is registered or not? - Code Utility - Code Utility on May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet
  • Valen on A guide to implementing Applocker on your Modern Workplace
  • Valen on A guide to implementing Applocker on your Modern Workplace
  • sebus on Intune: Choosing whether to assign to User or Device Groups
  • Rob on A first look at using Filters for devices as conditions in Azure AD Conditional Access policies

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2022 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT