This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 77%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Sign-In logs show the user is using a non-compliant device, however the device IS compliant.
Sign-in log is also void of the Device ID in this specific log, so it's as if after signing in to the phone app that is SSO'd the deny message says they must use Edge or Safari, but the users are using Safari when they get the message...
The user is using a browser that does not support device identification so the device state is unknown. Access to the resource requires a compliant device. To see a list of browsers that support device identification, see https://docs.microsoft.com/azure/active-directory/conditional-access/technical-reference#supported-browsers
Device ID
Browser
Mobile Safari 16.2
Operating System
iOS 16
Compliant
No
Managed
No
Join Type
UPDATE: As a work around I've removed the Compliant Device requirement for iOS and it works without issue. My assumption is the iOS app is using an embedded Safari browser that for some reason can't play with Conditional Access, however that is a HUGE issue because out LastPass is federated/SSO. Works fine for BYOD Android I might add IF its through the Work Profile.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 40%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
I'm also in a very similar situation. I suspect your assumption here is correct:
"My assumption is the iOS app is using an embedded Safari browser that for some reason can't play with Conditional Access"
I can see the sign request coming form:
Browser: Mobile Safari 16.2
Operating System: iOS 16
however, no Device ID is displayed.
Going deeper into troubleshooting:
The device is clearly joined and compliant, it was confirmed in Intune and by looking up the device info.
Now I wonder what's stopping Safari to pass the Device ID onto the auth flow?
**For those stumbling upon this discussion:
The issue of the in-app browser (Safari) not communicating Device ID with CA was resolved by deploying the following configuration profile:**
[https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos
Enterprise SSO plugin resolved our issue and I successfully authenticated with a compliant iPad based on device ID/compliance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Attila Balogh, For your scenario, I suggest open case to troubleshoot on it.
@Dalton Reeves, Thanks for posting in Q&A. From your description, it seems condition access policy block our access.
To troubleshoot the issue, please collect the following information to clarify:
Please check the above information and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
The device is compliant per Intune, plus we've resync'd it repeatedly over the last couple days.
As a work around I've removed the Compliant Device requirement for iOS and it works without issue. My assumption is the iOS app is using an embedded Safari browser that for some reason can't play with Conditional Access, however that is a HUGE issue because out LastPass is federated/SSO. Works fine for BYOD Android I might add IF its through the Work Profile.
@Dalton Reeves, Thanks for the response.
Based as I know, for iOS, Safari is supported for device-based Conditional Access, but it can not satisfy the Require approved client app or Require app protection policy conditions. Here is a link with more details:
I notice you have tried to remove the compliant requirement to temporary let it work. If you still have interest to work on the issue, I will still provide suggestion.
As I know the conditional access evaluate the compliance status from AAD, I wonder if there's some issue during the state sync from Intune to AAD. I notice the state under Intune is compliant. I suggest to go to AAD portal to see if the device also shows compliant there.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
im aslo facing same issue can you provide permanent solution for the issue
I am also facing similar issue can you provide suggestion to fix this issue on permanent
Does the sign-in work with Edge?
There's no way to dictate the browser because its an iOS app. So it's defaulting to Safari even if Edge is selected. Ive seen a similar issue on a desktop app using embedded Chrome. What doesn't make sense here is the error states its Safari while the error is saying USE Safari..
The app is LastPass.
You can try setting Edge as the default browser in settings for testing. Another option is to exclude lastpass from cloud apps in the CA policy.
yeah thats been done as I stated above, unfortunately it has no effect.
Also appears that iPad Pros are showing up as MacOS and doesn't work with the iOS excluded from the check...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 48%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
This was happening with me, if you take a look a the sign-in logs, some of these third party apps use other internet browsers for device authentication ie Firefox, Chrome, etc, Intune mobile device compliance policies can only authenticate using managed browsers such as Safari and Edge.