question

RomainPHILIPPE-2360 avatar image
0 Votes"
RomainPHILIPPE-2360 asked vipulsparsh-MSFT commented

Sign-in log for browser is lacking device ID

Hello,

My company is working with hybrid-azure ad joined devices.

We wished to use a conditional access policy to require MFA to sign-in to all apps, except from Hybrid-joined devices.

It's working fine for all client apps, but I have a problem with sign-in from browser.

Some sign-ins, not all, are prompted for MFA despite using a correctly hybrid-joined device.

Looking at AAD sign-in logs :

  • A minority of sign-in attempts to log on from Edge Browser on correctly hybrid-joined devices are lacking any "Device ID" info in AAD sign-in logs, and so those sign-ins are prompted for MFA.


  • Most, but not all of the connection from other browsers (chrome, firefox) on correctly hybrid-joined devices are lacking the device ID. Some chrome browser seems to have it though.


What is the rule there, are we forced to work with Edge in this scenario ? What would cause my edge sign-in to not have the device ID ?

azure-ad-conditional-accessazure-ad-sign-in-logsazure-ad-hybrid-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered ShaniIsraeli-8063 commented

@RomainPHILIPPE-2360 Can you make sure that you are logged in to the Edge browser with corp credential and try again.

This might happen if the device is not correctly registered to AAD or if the devices are in dual state.
To troubleshoot the device state you can use the following PowerShell script to verify the device health :
https://gallery.technet.microsoft.com/Device-Registration-84e1fa4f and check for option 5.

40955-image.png




If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.





image.png (48.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RomainPHILIPPE-2360
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

@vipulsparsh-MSFT the attached link is broken, can you please elaborate about troubleshooting this?

Im having the same issue, sign-in attempts to log on from Edge Browser on hybrid-joined devices are lacking any "Device ID" info in AAD sign-in logs.

0 Votes 0 ·
LongNguyenXuan-2088 avatar image
0 Votes"
LongNguyenXuan-2088 answered vipulsparsh-MSFT commented

Dear @vipulsparsh-MSFT,

We have one app which is installed from Intune via the Company Portal app in the same way as Edge.
However, our app cannot send device ID to Intune as Edge does when doing SSO.
What should we do to make our app be able to send Device ID to Intune?

Thanks

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LongNguyenXuan-2088 make sure to utilize the Intune SDK for Android OR IOS for your custom app development, it help you to integrate the app with ADAL/MSAL which will allow you to utilize features like SSO and also can pass on device details to Azure AD.

IOS : https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-ios
Android : https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-android




Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

@LongNguyenXuan-2088 Let me know if the above information helped you.

0 Votes 0 ·