I have implemented Conditional Access (CA) policies to block staff from signing into desktop applications on their personal devices.
The purpose is to ensure that company resources can only be accessed via secure, compliant, and Entra-joined devices. However, this restriction has unintentionally blocked the ability for staff to use Microsoft Edge to sync their work profiles on their personal devices.
They can only sign into their Microsoft accounts to access web apps (Outlook, Word, Excel, OneDrive, SharePoint) via office.com using Edge Browser on their personal devices.
As soon as they try to set up a work profile on Edge which will sync their history and favourites etc.
The sign in attempt gets blocked.
Current Setup:
- Conditional Access Policy in Place:
- Blocks access to desktop applications unless the device is Entra Joined or compliant.
- A device filter condition is configured to exclude personal devices from accessing corporate resources. (device.deviceOwnership -ne "Company")
- Device Platform Restrictions:
- CA policies target platforms like Windows, macOS, and Linux
- Client Apps Restrictions:
- The CA policy blocks access to apps under "Mobile apps and desktop clients" for unmanaged devices.
The Problem: While this policy effectively blocks desktop applications as intended, it also prevents Microsoft Edge from syncing work profiles on personal devices. Since personal devices are blocked from Entra join or registration by the CA policy, this prevents Edge from gaining the necessary identity access to sync profiles.
Attempted Solutions (Unsuccessful):
- Conditional Access Exclusions:
- Adjusted CA policies to exclude "Browser" under client apps, but this didn't allow Edge sync either.
- Adding Exceptions for Microsoft Edge:
- Investigated if I could create exclusions specific to Microsoft Edge using device filters and CA conditions, but this approach also failed because Edge is treated as a desktop application, falling under the "Mobile apps and desktop clients" category.
- Turned off the scope for Client apps for Mobile apps and desktop clients. This worked and allowed profile syncing as well as signing into all desktop apps like Outlook, Teams, Onedrive etc.
- Excluding Specific Resources in CA Policy:
- Attempted to exclude Microsoft Edge as a resource under Target Resources. This Failed because this exclusion appears to apply more to published web apps rather than the Office 365 web apps.
Desired Outcome:
Enable Microsoft Edge work profile sync on personal devices to allow users to sign in and sync their settings, passwords, and work profile data without compromising security or bypassing the Conditional Access block on other desktop applications.
Ideal Solution Requirements:
Maintain the CA policy that blocks desktop apps from unmanaged devices.
Enable Microsoft Edge work profile sync securely, ideally using a method that protects corporate data within the browser without requiring full device enrollment.
Questions for the Community:
- Is there a Microsoft-recommended method to allow Microsoft Edge work profile sync on personal devices while still enforcing Conditional Access controls?
- Are there any updates or alternative methods within Microsoft’s ecosystem that address this specific scenario?
- Is there a secure workaround to distinguish Microsoft Edge sync from other desktop applications when enforcing CA policies?
I would greatly appreciate any insights, solutions, or guidance on resolving this issue. Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 90%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
