How to force the usage of Managed Browser via AD FS

ca-logoAfter the last blog about conditional access of Outlook Web App and SharePoint Online is forcing that the Managed Browser is used when accessing the service. This last part can be done via Active Directory Federation Service (AD FS). With AD FS you are able to allow or block access based on attributes of the client that is trying to authenticate.

As part of the March update of the Managed Browser the Managed Browser is identifiable as ManagedBrowser via the UserAgent, before March the Managed Browser had a generic UserAgent.

So to be able to control access based on which browser is used a claim rule needs to be added that only allows traffic from the Managed Browser. The following claim rule will allow Managed Browser access, together with your other claim rules that control access to Office 365. (see for some options here)

 

Added AD FS claim rule
Added AD FS claim rule

Add the following claim rule to the Insurance Authorization Rules of the Microsoft Office 365 Identity Platform relying trust partner:

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent”, Value =~ “ManagedBrowser\/”])
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);

After adding this claim rule access to OWA or SharePoint Online via the normal browser is blocked by default, accessing the service via the Managed Browser is allowed.

Access denied with native browser
Access denied with native browser
Access allowed with Managed Browser
Access allowed with Managed Browser

Note in this example only the claim rule for the Managed Browser is used..

Off course there are ways to maybe spoof the User Agent of a Browser, but to be able to bypass spoofing we can enable device authentication on AD FS. With this setting we are able to check if a device is managed or not. Definitely a subject for another blog for the near future.

 

Comments

Total
0
Shares
3 comments
  1. The “ManagedBrowser” string is only sent from IOS devices. It does not work on Android.

  2. Do you know of an equivalent way of doing this with Azure AD / Azure AD App Proxy?

Leave a Reply to Jim Smith Cancel reply

Your email address will not be published. Required fields are marked *

Previous Post

Conditional Access for OWA and SharePoint web access arrive to Intune

Next Post

Link Updates and Servicing session at System Center Summer Night

Related Posts
Total
0
Share