Sign-In with Edge (and Chrome with the Windows 10 Accounts extension) Conditional Access - no Device ID

Covalt, Jonathan G 141 Reputation points

We are trying to use conditional access policies to force users to use Multifactor Authentication if they are on a device that is not Hybrid Azure AD Joined. This policy works fine for Outlook, Teams, etc. However, when logging into OWA, SharePoint Online sites, or other web apps using either Chrome (with the Windows 10 Accounts extension) or on Chromium Edge, users are still prompted for MFA.

What's most interesting is that, when using these browsers, the Azure Sign-In log shows no Device ID, despite the fact that the device is joined as a Hybrid Azure AD device, and the full applications do show the Device ID.

Has anyone encountered and resolved this issue?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,092 questions
0 comments No comments
{count} votes

Accepted answer
  1. Covalt, Jonathan G 141 Reputation points

    This issue is, seemingly, resolved. We found that logging out of all Edge profiles, then only logging in with the user's O365/Azure account (with their e-mail address) and enabling sync seems to fix this.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee

    @Covalt, Jonathan G Can you make sure that the device on which users are prompted for MFA even they are Hybrid AAD Joined, are logged into the browser profile.
    Hybrid AADJ should login the user automatically, and if that is not happening for some reason, this is expected.

    Read more here

    If you see that the user is properly signed in, you might need to work with support to investigate further.