Sign-in log for browser is lacking device ID

Question

Hello,

My company is working with hybrid-azure ad joined devices.

We wished to use a conditional access policy to require MFA to sign-in to all apps, except from Hybrid-joined devices.

It's working fine for all client apps, but I have a problem with sign-in from browser.

Some sign-ins, not all, are prompted for MFA despite using a correctly hybrid-joined device.

Looking at AAD sign-in logs :

• A minority of sign-in attempts to log on from Edge Browser on correctly hybrid-joined devices are lacking any "Device ID" info in AAD sign-in logs, and so those sign-ins are prompted for MFA.
• Most, but not all of the connection from other browsers (chrome, firefox) on correctly hybrid-joined devices are lacking the device ID. Some chrome browser seems to have it though.

What is the rule there, are we forced to work with Edge in this scenario ? What would cause my edge sign-in to not have the device ID ?

Answer 1

@Romain PHILIPPE Can you make sure that you are logged in to the Edge browser with corp credential and try again.

This might happen if the device is not correctly registered to AAD or if the devices are in dual state.
To troubleshoot the device state you can use the following PowerShell script to verify the device health :
https://gallery.technet.microsoft.com/Device-Registration-84e1fa4f and check for option 5.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

Answer 2

Dear @VipulSparsh-MSFT ,

We have one app which is installed from Intune via the Company Portal app in the same way as Edge.
However, our app cannot send device ID to Intune as Edge does when doing SSO.
What should we do to make our app be able to send Device ID to Intune?

Thanks