Thanks for your time and patience. I was able to validate this and have following suggestions for your:
- Ensure that you have used OMA URI with custom policy and not service catalog policy:
To protect your environment and prevent Web Sign-in and above-lock PIN reset outages, you must deploy the ConfigureWebSignInAllowedUrls MDM policy via acustom OMA-URI settingas follows
./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls = first.federated.domain.com;second.federated.domain.com
- Login with admin account and look forShell-Core\Operational log
CloudExperienceHost Web App Event 2. Name: 'NavigationBlocked', Value: '{"uri":"https://accounts.google.com/..."}'.
- Try enrolling to MFA and setting up Authenticator app for the test user before testing the web sign in. Once done then try to repro the issue again. This would confirm if the issue were related to MFA enrollment and not due to Intune policy.
- Also validate if device is Entra ID joined with Windows 11, version 22H2 with 5030310, or later as Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.
If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik