Azure Conditional Access
I've been researching this somewhat and I'm not exactly sure where/what the exact problem is to be honest. So far IE, Edge (new Chromium at least) and Chrome, with the add-on from Microsoft work fine and authentication properly with Conditional Access setup in an Azure environment but for some reason Firefox does not, you get "You can't get there from here" message.
Now from what I gather this is due to the way Conditional Access works and Firefox not being able to reply with the correct device authentication/ADAL when prompted for it. What I'm asking is, is this something that Mozilla can solve on their own or is this something that Microsoft has to work out on their end?
I'm fine with opening a bug report on Bugzilla but I wanted to dig a bit deeper and hopefully understand the issue at hand on this as to not waste developer(s) time if this is something that Microsoft should fix.
Source1: https://social.technet.microsoft.com/Forums/en-US/eafe0951-3929-46d1-bcbd-bbe5c006f0e4/firefox-not-compatible-with-conditional-access-why?forum=microsoftintuneprod Source2: https://old.reddit.com/r/firefox/comments/b2jtnq/wtf_microsoft/
All Replies (9)
Is there a way I can get the Chrome add-on and look at it?
Actually we support client certificates now, so there should be a way to make this work.
Sorry, one more thing. Is this extension related?
The extension for Chrome is "Windows 10 Accounts" - https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en
Looks like https://addons.mozilla.org/en-US/firefox/addon/windows-10-accounts-port/ might do the trick, is there anyway to vet this extension or implement support without an extension (without ua spoofing, that's really something Microsoft should fix)?
Also this is the extension for Chrome provided by Microsoft - https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en
I'll take a look at the extension and see what it does. I'll also try to reach out to Microsoft.
Thanks Mike, I compared the Chrome addon to the port version for Firefox, they seem to be doing the same thing with the addition of user agent spoofing to fool Azure into believing we're actually Chrome so that the server offers the correct option(s). Other than that they are identical as far I can tell not withstanding the obvious change where necessary to make it work in Firefox, like 'chrome' replaced with 'browser' in background.js + the registry addon and json file that are required for it to work, this I can confirm now after testing.
However the extension being a third-party port, not saying there is anything wrong or suspect with it, but it would still be better if this could be implemented to work without an extension. Security (conditional access in this case) is an ever increasing importance for enterprise users so having said implementation supported directly is better than relying on a third party to do it.
Considering the amazing work Mozilla has been doing lately to support enterprise users this would be a really nice addition to your portfolio as a serious browser for business users.
Modified by Jax-Ur
I'm not sure how easily we could integrate, but I'm continuing to reach out to Microsoft to try to get an answer.