Does Prisma Browser support device-based Conditional Access (device ID / compliance)?

SeriThal — Sun, 17 May 2026 20:08:41 GMT

Hi all,

I’m currently investigating an issue with Prisma Access Browser (Android) in combination with Microsoft Entra Conditional Access and wanted to check if anyone has faced something similar.

Setup:

- Prisma Browser deployed via Intune (Android Enterprise, fully managed/BYOD)

- Company Portal installed and device properly enrolled

- Microsoft Authenticator used for MFA

- Authentication is routed via Palo Alto Cloud Identity Engine (Cloud Authentication Service)

- Conditional Access policy requires device-based conditions (device trust / compliance)

Issue:

When users access an application (e.g. SaaS app protected by Entra Conditional Access) through Prisma Browser, the sign-in logs in Entra show:

- Device ID: not present

- Join Type: not set

- Managed: No

- Compliant: No

Even in the Cloud Identity Engine (CAS) logs, device attributes are missing.

Assumption:

It seems that Prisma Browser does not pass through device identity / device claims to Entra (possibly due to its authentication flow and/or CAS integration).

Questions:

- Is Prisma Browser on Android expected to support device-based Conditional Access (device ID, compliance, join type)?

- Does Prisma Browser integrate with Microsoft broker (Authenticator / Company Portal) for device identity?

- Is there any configuration required to enable device claims passthrough?

- Or is this a known limitation by design?

Currently, the only workaround is to use network-based exclusions, which weakens the Conditional Access model.

Would appreciate any insights or experiences.

Thanks!

topic Does Prisma Browser support device-based Conditional Access (device ID / compliance)? in Prisma Access Discussions

Does Prisma Browser support device-based Conditional Access (device ID / compliance)?