Tuesday, December 7, 2021

Browser restrictions and configuration when using Conditional Access on your modern workplace

Must read

avatar
Kenneth van Surksumhttps://www.vansurksum.com/
I started my career in 1995 as a System Engineer in the broadcast industry, building and maintaining video editing suites and television studio's and later specializing in Telecine equipment. In 1998 I switched to a first line support function within the Information Technlogy on the dealing room of a large bank, working my way up to a 3rd line support engineer. From this position i started to work on projects, which eventually resulted in projects where I worked across the border. In this period I implemented and designed several deployment solutions for mass rollout of workstations, laptops and servers. Since 2009 I switched to a consultancy function mainly focusing on but not limited to System Center design and implementation projects, besides that I became a Microsoft Certified Trainer (MCT) and currently teach System Center Related Classes (SCCM, SCOM and SCSM). In Januari 2010 I received the Microsoft MVP award with the expertise Setup & Deployment which was extended in 2011 and 2012. In 2013 and 2014 I was awarded the VMware vExpert award. In october 2014 I received the Microsoft MVP award with the expertise System Center Cloud and Datacenter Management (SCCDM).

This article is about a subject I covered before in my blogpost titled: “Understanding and governing reauthentication settings in Azure Active Directory“. The reason I’m doing a more specific article on the subject is because I see a lot of issues when it comes to browser configuration which must be solved if you want to implement Conditional Access and use compliance as a way to grant access the environment.

Even though you are working in the browser on a compliant device, doesn’t necessarily mean that Azure AD can detect that. Therefore you must make sure that your browsers are configured correctly before you implement the Conditional Access policy. For an overview of my recommended set of Conditional Access policies see: Conditional Access demystified: My recommended default set of policies

Some examples I often encounter: End user is working on a compliant device, but cannot download or print files when using the web interface to connect to SharePoint online, this is caused by the App Enforced Restrictions policy being active (see: Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions). Or, MCAS blocks the download of a file, even though the user is working on a compliant device. (see: Extending Conditional Access to Microsoft Cloud App Security using Conditional Access App Control)

Browser support

This all has to do with browser support and configuration, below is an overview of the requirements and what is, and what’s not supported. Currently Microsoft supports the following browsers:

os 
Windows 10 
Windows 8 / 8.1 
Windows 7 
iOS 
Android 
Windows Phone 
Windows Server 2019 
Windows Server 2016 
Windows Server 2012 R2 
Windows Server 2008 R2 
macOS 
Browsers 
Microsoft Edge, Internet Explorer, Chrome 
Internet Explorer, Chrome 
Internet Explorer, Chrome 
Microsoft Edge, Intune Managed Browser, Safari 
Microsoft Edge, Intune Managed Browser, Chrome 
Microsoft Edge, Internet Explorer 
Microsoft Edge, Internet Explorer, Chrome 
Internet Explorer 
Internet Explorer 
Internet Explorer 
Chrome, Safari

Sign-in Logging

When users are using a non-supported configuration, this might reflect as followed in the Azure AD sign-in logging. As you can see the Conditional Access policy requires a compliant device before access to the resource can be given. And in this case, our test user Ferry was working on a compliant device (you have to take my word for it).

Mozilla FireFox

Mozilla Firefox isn’t a supported browser when it comes to Conditional Access. If you configure a conditional access policy enforcing App Enforced Restrictions for example, you will experience these restrictions even when working on a compliant device. Keep in mind that there are also other browsers who use the Mozilla engine, like Tor Browser, Waterfox, and SeaMonkey to name a few. All these browsers will not work in this scenario.

Google Chrome

In order for the Google Chrome browser to support the device authentication you must deploy the Windows 10 accounts extension in the Chrome browser to your devices. You’ll need this extension if you want to use the device compliancy within your Conditional Access policies.

Chrome We b St 
Windows 10 Accounts

Deploying extensions for Google Chrome using Microsoft Endpoint Manager

You can configure the Google Chrome browser running on a Intune/MEM managed Windows 10 device by using a Configuration Profile with a custom profile type.

In order for this to work, we first need to download the Google Chrome Bundle. Within that bundle you can find a folder called ADMX. From that folder you’ll need the chrome.admx file. Within the ADMX file we will use the ExtensionInstallForceList parameter to define the extensions we want to have installed.

(policy 
displayName="$(string.ExtensionInsta11Force1ist)" 
name=" ExtensionInsta11Force1ist" 
explainText="$(string. ExtensionInsta11Force1ist Explain)" 
presentation= " $ (presentation . Extensionlnstall Forcelist) " >
<parentCategory ref="Extensions"/>
<supportedon 
(elements><br />
(list id="ExtensionInsta11Force1istDesc"<br />
</elements><br />
/ poli<br />
cies  Google  Ch romeExtensionInsta11 Force list "<br />
val uePrefix= " " / > ” class=”wp-image-157723″ data-recalc-dims=”1″></a></figure>
<p>Secondly we must determine the unique identifiers for the extension(s) we want to install. You can determine this by browsing to the <a href=chrome web store. From the chrome web store we need the Windows 10 Accounts extension, which at time of writing has the following id:”ppnbnpeolgkicgegkbkbjmhlideopiji” make sure that if you are configuring this yourself to doublecheck whether the id still matches.

Windows 10 Accounts - Chrome X + 
C t https://chrome.google.com/webstore/detail/Wind0WS-lO-aCCOL•lntS/2.e.22.!2.e..:.2.!2.2E.2.2.!:.k.u.22.2.U:E22L7hl 
You can now add extensions from the Chrome Web Store to Microsoft Edge - Click on 'Add to Chrome'. 
e chrome web store 
Home > Extensions > Windows 10 Accounts<br />
Windows 10 Accounts<br />
Offered by: Microsoft<br />
• 10,000.000+ users<br />
397 Productivity<br />
=en-US<br />
00<br />
9<br />
Sign in<br />
Add to Chrome<br />
Overview<br />
Reviews<br />
Related<br />
Instantly access accounts added to Windows<br />
without re-entering user credentials<br />
Before<br />
Microsoft<br />
After ” class=”wp-image-157719″></a></figure>
<p>After downloading the ADMX file and figuring out which extensions we want to install by their ID in the chrome web store we can define our Configuration Policy.</p>
<p>First make sure that the custom policy ingests the ADMX file, use the following OMA-URI settings to configure this:</p>
<p><strong>Name:</strong> Chrome ADMX Ingestion (can be any name, but make it easy to understand what it does)</p>
<p><strong>Description:</strong> <Your description if you prefer></p>
<p><strong>OMA-URI: </strong>./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx</p>
<p><strong>Data type:</strong> String</p>
<p><strong>Value:</strong> Copy/Paste here the contents of the ADMX file.</p>
<div class=
Edit Row 
Ct. EVX 
Not 
Sri 
87.028015--
Chrome ADMX Ingestion

Secondly we can define the setting we want to make as defined in the ingested ADMX file. Be very careful here.

Name: ExtensionInstallForcelist (can be any name, but make it easy to understand what it does)

Description: <Your description if you prefer>

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist

Data type: String

Value: <enabled/> <data id=”ExtensionInstallForcelistDesc” value=”1ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx2bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx”/>

In the example above I also install another extension (The Microsoft Defender Browser Protection) as you can see the value must be carefully composed.

First of all, the ExtensionInstallForceList will eventually end up as a REG_MULTISZ registry string. Which means that each entry must be separated by the Unicode character 0xF000 (or  when encoded). You can also see that the URL https://clients2.google.com/service/update2/crx is being used. That URL is needed in order for the browser to determine the download path once its ready to download the extension. Each extension is also numbered, so the Windows 10 Accounts extension is number 1 and the Microsoft Defender Browser Protection extension is number 2. If you want to add more use 3, 4, etc…

ExtensionInstalForceList

Once configured assign the policy to a group and you verify whether the necessary extensions are installed within the Google Chrome browser.

Microsoft Edge

Microsoft Edge obviously supports device authentication, but whether this is being used is depending on the profile you are signed into. When you’re signed into a Microsoft Edge profile with enterprise Azure AD credentials, Microsoft Edge allows seamless access to enterprise cloud resources protected using Conditional Access. On a compliant device, the identity accessing the resource should match the identity on the profile. See: Accessing Conditional Access protected resources in Microsoft Edge for more information.

If you want to configure this sign-in for your devices you can use two settings using a Configuration Profile with an Administrative Template.

The first setting we must modify is the “Browser sign-in settings”, make sure that the setting is enabled, and that the option “Force users to sign-in to use the browser” is selected.

Browser Sign-in Settings

The second setting we must modify is called: “Configure whether a user always has a default profile automatically signed in with their work or school account”. Make sure that this setting is enabled.

Configure whether a user always has a default profile automatically signed in with their work or school account

The third setting is called: “Configure whether a user always has a default profile automatically signed in with their work or school account” and will prevent the user from removing the Microsoft Edge profile.

Configure whether a user always has a default profile automatically signed in with their work or school account

Finish the Configuration Profile and assign it to a group of your choosing.

On a sidenote, installing extensions in Microsoft Edge is much easier, since it’s also part of the Administrative Templates, search for  “Control which extensions are installed silently” and just supply the unique id or more in a list.

Extensions

Conclusion

Before rolling out Conditional Access make sure that you have configured the browsers on your Modern Workplace to support your Conditional Access scenario’s. Also make sure that you explain to your users which browsers can be used for what scenario. In the end it shouldn’t matter if they use non-standard browsers, as long as they are aware of the consequences.

The post Browser restrictions and configuration when using Conditional Access on your modern workplace first appeared on Modern Workplace Blog.

More articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest articles