Why signin_state flag is missing in the JWT when user has logged in from a Mac browser?

arunabha bhattacharya 181 Reputation points

Goal: identify if a device is managed (Azure joined).
Approach: verify that the logged in user's JWT has a claim signin_state with a flag dvc_mngd.

This works if the user signs in to Azure AD from a Windows system (Edge or Chrome) but if the user signs in from a Mac system (Safari or Chrome) to Azure AD then we find the flag is missing in their JWT.


  1. do we need to configure anything in Azure AD so that this claim gets added or is that a restriction for Mac?
  2. if that is a restriction then is there any alternative way to know programmatically if user has signed in to AAD from a managed device?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,151 questions
{count} votes