Support for Azure Hybrid Join Conditional Access Policies

Our corporation requires hybrid joined devices (devices are registered in both Azure AD and AD). This is native functionality in Windows 10, and is supported with the installation of an additional agent in down-level Windows devices.

We leverage conditional access policies for our Azure authentication, to ensure that all users are coming from devices which we manage. Authentications done through the Edge browser are able to access the Hybrid Join token, and pass the conditional access policy.

Google Chrome does not support this natively and requires an add-in to function.

It appears that that Xulrunner browser that the Notes client uses for the Azure authentication process is also unable to natively access this information. The error in Azure indicates that no information regarding device details were available. When disabling the policy, SAML login functions as expected.

Unfortunately, this makes it impossible for us to adopt SAML login, since we would have to exempt Notes from our security policies.

Is this something we could have added?

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji