My company is working with hybrid-azure ad joined devices.
We wished to use a conditional access policy to require MFA to sign-in to all apps, except from Hybrid-joined devices.
It's working fine for all client apps, but I have a problem with sign-in from browser.
Some sign-ins, not all, are prompted for MFA despite using a correctly hybrid-joined device.
Looking at AAD sign-in logs :
A minority of sign-in attempts to log on from Edge Browser on correctly hybrid-joined devices are lacking any "Device ID" info in AAD sign-in logs, and so those sign-ins are prompted for MFA.
Most, but not all of the connection from other browsers (chrome, firefox) on correctly hybrid-joined devices are lacking the device ID. Some chrome browser seems to have it though.
What is the rule there, are we forced to work with Edge in this scenario ? What would cause my edge sign-in to not have the device ID ?