Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Why signin_state flag is missing in the JWT when user has logged in from a Mac browser?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 75%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
arunabha bhattacharya
181
Reputation points
Goal: identify if a device is managed (Azure joined).
Approach: verify that the logged in user's JWT has a claim signin_state with a flag dvc_mngd.
This works if the user signs in to Azure AD from a Windows system (Edge or Chrome) but if the user signs in from a Mac system (Safari or Chrome) to Azure AD then we find the flag is missing in their JWT.
Question:
- do we need to configure anything in Azure AD so that this claim gets added or is that a restriction for Mac?
- if that is a restriction then is there any alternative way to know programmatically if user has signed in to AAD from a managed device?
Thank you.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
Jason Sandys 31,421 Reputation points Microsoft Employee Moderator2021-09-14T14:01:41.077+00:00 Don't know the answer here but I adjusted the tags for this question to better reflect where the problem may lie as it's unrelated to Intune (AAD joined/registered is not the same as being managed) and it's also unrelated to app registrations in AAD.
Sign in to comment
Sign in to answer