locked
Firefox not compatible with Conditional Access. Why? RRS feed

  • Question

  • Hello, 

    Can somebody tell me why Mozilla Firefox is not compatible or supported with Conditional Access in Microsoft Intune?

    Are there technical or security reasons?

    We have users asking and want to know why.

    Thanks!

    Tuesday, February 27, 2018 3:24 PM

Answers

  • Hello, 

    I think the following can answer your question.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BenVrba Thursday, March 1, 2018 6:15 PM
    Wednesday, February 28, 2018 2:10 AM

All replies

  • Not sure exactly what you expect here.

    Conditional Access is part of Azure AD, not Intune. CA is a method to allow or block authentication of an app to a service based on compliance checks -- typically the service uses Azure AD and modern auth. Possible compliance checks include things like the status of the device or what OS it's running.

    With that in mind, how exactly do you want Firefox to fit in here? What service is Firefox trying to get to that uses modern auth and Azure AD?

    Ultimately though, why aren't you asking Mozilla as it's really up to them and not Microsoft.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, February 27, 2018 4:45 PM
  • We have a Conditional access policy that restricts access to SharePoint Online to "Select Client apps" which selected are both "Browser" and "Mobile apps and desktop clients."

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technical-reference

    When that policy is enforced, Firefox can't be used to access SharePoint Online. And it's expected.

    I just want to know what doesn't Firefox do that Chrome and Edge do. It could be a Firefox question, but I figure Microsoft might know since they didn't list Firefox as supported.

    Tuesday, February 27, 2018 6:01 PM
  • Hello, 

    I think the following can answer your question.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BenVrba Thursday, March 1, 2018 6:15 PM
    Wednesday, February 28, 2018 2:10 AM
  • Thanks Andy,

    Looking further the article also states:

    "These browsers support device authentication, allowing the device to be identified and validated against a policy. The device check fails if the browser is running in private mode. "

    So I wonder if Firefox doesn't support that type of authentication or device identification.

    I wonder if Microsoft might know why it doesn't even if they're not responsible for it.

    Thursday, March 1, 2018 6:18 PM
  • Additional information provided from Microsoft:

    Confirmed that Firefox is indeed not a supported client app for browser CA<o:p></o:p>

    Based on documentation, the supported browsers support device authentication, assumption is that there might be some limitation re device authentication/ADAL for Firefox. I was able to confirm with Internal Intune Technical Engineer(s) that this is the case. <o:p></o:p>

    Mozilla cannot prove the client device attempting the access, as it does not know how to access the computer's cert store and answer back to challenge from EvoSTS (Azure AD token service) with the Device Cert. <o:p></o:p>


    Thursday, March 8, 2018 4:06 PM
  • Hello,

    Thanks for sharing. 

    It really helps to understand the reason.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 9, 2018 12:27 AM