You have created a Conditional Access (CA) Policy in which you have defined a session control for Conditional Access App control setting to blocks downloads from Microsoft Online services e.g. Sharepoint, Teams, Exchange Online etc. In this policy, you have also excluded the Devices which are compliant by using a Device State condition.
But when users working from a compliant device, they are unable to download files. If there are additional Defender for Cloud apps policies in place which are targeted to non-compliant devices, those policies will also not be affected / work.
When you will check user’s sign-in logs on Microsoft Azure Portal, you will find that the Join type is blank and therefore device compliant calculation says Compliant: No.
Therefore, even if the device is compliant, it seems like the device compliance details are not sent to Azure AD. This occurs when you access any cloud based application using an web browser for example Google Chrome or Microsoft Edge.
Device compliant setting only works with the following supported browsers. Device check fails if web browser is running in private mode or if cookies are disabled. Google Chrome requires an Extension called Windows Accounts to be able to identify the Device if its compliant or not. For Microsoft Edge, you need to be logged in to edge browser to be able to identify the Device status.
| OS | Browsers |
|---|---|
| Windows 10 | Microsoft Edge, Internet Explorer, Chrome, Firefox 91+ |
| Windows 8 / 8.1 | Internet Explorer, Chrome |
| Windows 7 | Internet Explorer, Chrome |
| macOS | Microsoft Edge, Chrome, Safari |
| iOS | Microsoft Edge, Intune Managed Browser, Safari |
| Android | Microsoft Edge, Intune Managed Browser, Chrome |
| Windows Server 2019 | Microsoft Edge, Internet Explorer, Chrome |
| Source: Microsoft |
Install Windows Accounts Extension for Google chrome
Install Windows Accounts Google Chrome Extension and login on this extension using organization credentials. Description of this extension provides information that this plugin is required if your organization has implemented conditional access policy.
Install this extension, login using organization email ID and password, then login to sharepoint, onedrive etc. You will be able to download the files this time. Let’s check how it looks on the Azure Portal User sign-in logs.
| Windows Accounts Extension Information |
|---|
| Sign in to supported websites with accounts on Windows 10/11 Use this extension to sign in to supported websites with accounts on Windows 10 and later versions. If you have a Microsoft supported identity on Windows 10 or later, you won’t be required to enter your credentials to sign in to supported websites. You’ll need to use this extension if your organization has implemented conditional access policy. Currently, this extension supports Azure Active Directory identities. |
Now we can see that the device compliance status is being sent to Azure AD. If you have a Conditional access policy which allows downloads from Sharepoint / Onedrive / Exchange Online only from compliant device. Then this device will no longer blocked as the device is in compliant state.
Microsoft Edge Browser Support
When using Microsoft Edge browser, sign in using your organization account by using below steps:
- Open Microsoft Edge browser application.
- Select Profile image in the browser taskbar.
- Click on Sign in
- Select or use your organization email ID and password to signin to Microsoft Edge browser.
You should be able to download the documents from Sharepoint / Onedrive / MS Teams or any other Microsoft 365 application provided you are on a compliant device and your IT administrator has allowed downloading files on a compliant device.
Conclusion
In this blog post, we have seen how to send device compliance status to Azure AD when using Google chrome browser. You will require a Windows Accounts extension for this. Microsoft Edge natively supports authentication with Azure AD therefore you will not require any extension for Microsoft Edge browser.