https://live.paloaltonetworks.com/t5/prisma-access-discussions/does-prisma-browser-support-device-based-conditional-access/m-p/1254733#M1293 <P>Prisma Access has it's own Device ID as shown in&nbsp;<A href="https://docs.paloaltonetworks.com/prisma-access-browser/administration/manage-prisma-access-browser-devices" target="_blank" rel="noopener">Manage Prisma Browser Devices</A>&nbsp;that can be grouped in Device Groups.</P> <P>&nbsp;</P> <P>About integrating with Microsoft Conditional Access Device ID after I checked with AI (I used Copilot but chatgpt should also help) I see that it may need&nbsp;Windows Accounts Extension and maybe you have not allowed this extension that collects this data from the machine.</P> <P>&nbsp;</P> <P>Also see&nbsp;<A href="https://docs.paloaltonetworks.com/prisma-access-browser/integrations/windows-account-based-sso-authentication" target="_blank" rel="noopener">Windows Account Based SSO Authentication</A>&nbsp;and maybe enable&nbsp;<STRONG class="ph b">Microsoft Auto-SSO.</STRONG></P> <P>&nbsp;</P> <P>As Prisma Browser is heavily restricted on extensions that could be the issue but if not better open a support case.</P> Tue, 26 May 2026 06:05:12 GMT nikoolayy1 2026-05-26T06:05:12Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/does-prisma-browser-support-device-based-conditional-access/m-p/1254142#M1292 <DIV class="scriptor-paragraph"><SPAN>Hi all,</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>I’m currently investigating an issue with Prisma Access Browser (Android) in combination with Microsoft Entra Conditional Access and wanted to check if anyone has faced something similar.</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Setup:</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Prisma Browser deployed via Intune (Android Enterprise, fully managed/BYOD)</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Company Portal installed and device properly enrolled</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Microsoft Authenticator used for MFA</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Authentication is routed via Palo Alto Cloud Identity Engine (Cloud Authentication Service)</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Conditional Access policy requires device-based conditions (device trust / compliance)</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Issue:</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>When users access an application (e.g. SaaS app protected by Entra Conditional Access) through Prisma Browser, the sign-in logs in Entra show:</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>- Device ID: not present</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Join Type: not set</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Managed: No</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Compliant: No</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Even in the Cloud Identity Engine (CAS) logs, device attributes are missing.</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Assumption:</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>It seems that Prisma Browser does not pass through device identity / device claims to Entra (possibly due to its authentication flow and/or CAS integration).</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Questions:</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Is Prisma Browser on Android expected to support device-based Conditional Access (device ID, compliance, join type)?</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Does Prisma Browser integrate with Microsoft broker (Authenticator / Company Portal) for device identity?</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Is there any configuration required to enable device claims passthrough?</SPAN></DIV> <DIV class="scriptor-paragraph"><SPAN>- Or is this a known limitation by design?</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Currently, the only workaround is to use network-based exclusions, which weakens the Conditional Access model.</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Would appreciate any insights or experiences.</SPAN></DIV> <P><SPAN>&nbsp;</SPAN></P> <DIV class="scriptor-paragraph"><SPAN>Thanks!</SPAN></DIV> <P><LI-WRAPPER></LI-WRAPPER></P> Sun, 17 May 2026 20:08:41 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/does-prisma-browser-support-device-based-conditional-access/m-p/1254142#M1292 SeriThal 2026-05-17T20:08:41Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/does-prisma-browser-support-device-based-conditional-access/m-p/1254733#M1293 <P>Prisma Access has it's own Device ID as shown in&nbsp;<A href="https://docs.paloaltonetworks.com/prisma-access-browser/administration/manage-prisma-access-browser-devices" target="_blank" rel="noopener">Manage Prisma Browser Devices</A>&nbsp;that can be grouped in Device Groups.</P> <P>&nbsp;</P> <P>About integrating with Microsoft Conditional Access Device ID after I checked with AI (I used Copilot but chatgpt should also help) I see that it may need&nbsp;Windows Accounts Extension and maybe you have not allowed this extension that collects this data from the machine.</P> <P>&nbsp;</P> <P>Also see&nbsp;<A href="https://docs.paloaltonetworks.com/prisma-access-browser/integrations/windows-account-based-sso-authentication" target="_blank" rel="noopener">Windows Account Based SSO Authentication</A>&nbsp;and maybe enable&nbsp;<STRONG class="ph b">Microsoft Auto-SSO.</STRONG></P> <P>&nbsp;</P> <P>As Prisma Browser is heavily restricted on extensions that could be the issue but if not better open a support case.</P> Tue, 26 May 2026 06:05:12 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/does-prisma-browser-support-device-based-conditional-access/m-p/1254733#M1293 nikoolayy1 2026-05-26T06:05:12Z