Share via

Conditional Access Policy Blocking Compliant Device in WebView2

Randy 0 Reputation points
2025-03-12T16:00:04.23+00:00

We have set a compliance policy in MS Entra to require that only devices that are registered and compliant with our email tenant can access our WebView2 email application. Prior to creating and sending new email messages, the user must login to their account. We have verified that the policy works properly when logging in with Outlook, but not with the WebView2 app. Below is the policy that was created. The target resource is 'Office 365'.

Entra1

Here is the compliant device listed in Entra:

Entra2

This is the result when the user logs in to their account from within the WebView2 app:

Entra3

I assume the answer lies in either our WebView2 browser setup, or with our interface to GraphAPI. Here are some of the changes we've made to the Graph application builder.

Entra4

Using UseEmbeddedWebView for the auth process with both true and false has had no effect:

Entra5

I've also tried creating some additional browser arguments in the WebView2 code.

Entra6

There isn't much documentation online to solve this. I've seen where there have been posts to enable the WebView2 browser to use the auth for the user that logged into Windows. This won't work for us as we allow the user to login with multiple accounts when sending email.

Any help resolving this would be greatly appreciated. We have users that are stuck until we get a solution for this.

Thanks!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Goutam Pratti 6,195 Reputation points Microsoft External Staff Moderator
    2025-03-19T06:49:28.1233333+00:00

    Hello @Randy ,

    I understand that you created a conditional access policy for only devices that are registered and compliant with your email tenant and to access to your WebView2 email application.

    You are getting the Error code: 53000 even though the status of the device is complaint. This error usually gets When DeviceNotCompliant - Conditional Access policy requires a compliant device, and the device isn't compliant. The user must enroll their device with an approved MDM provider like Intune. For additional information, please visit **Conditional Access device remediation***.***I want you to check the sign in logs to see the deviceID is passed or not? You can verify by going the azure portal Identity > Monitoring & health > Sign-in logs.
    User's image

    Are you using Edge every time attempts to sign-in? There is a known issue with the other browsers that can cause this error to occur. If there is no device information sent in the sign-in logs, this might be the problem. Device information is sent when there is a PRT, and the user is logged onto the browser. If the user is trying to login with other browsers rather than edge, the extension is needed, Also the device check fails if the browser is running in private mode or if cookies are disabled.

    If this is the case, you can test by asking the user to logon to the Edge browser or install the extension to see if the issue is resolved.

    Refer the document for conditions and extensions: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions

    Hope this helps. Do let us know if you any further queries.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.