Hi all,
I’m currently investigating an issue with Prisma Access Browser (Android) in combination with Microsoft Entra Conditional Access and wanted to check if anyone has faced something similar.
Setup:
- Prisma Browser deployed via Intune (Android Enterprise, fully managed/BYOD)
- Company Portal installed and device properly enrolled
- Microsoft Authenticator used for MFA
- Authentication is routed via Palo Alto Cloud Identity Engine (Cloud Authentication Service)
- Conditional Access policy requires device-based conditions (device trust / compliance)
Issue:
When users access an application (e.g. SaaS app protected by Entra Conditional Access) through Prisma Browser, the sign-in logs in Entra show:
- Device ID: not present
- Join Type: not set
- Managed: No
- Compliant: No
Even in the Cloud Identity Engine (CAS) logs, device attributes are missing.
Assumption:
It seems that Prisma Browser does not pass through device identity / device claims to Entra (possibly due to its authentication flow and/or CAS integration).
Questions:
- Is Prisma Browser on Android expected to support device-based Conditional Access (device ID, compliance, join type)?
- Does Prisma Browser integrate with Microsoft broker (Authenticator / Company Portal) for device identity?
- Is there any configuration required to enable device claims passthrough?
- Or is this a known limitation by design?
Currently, the only workaround is to use network-based exclusions, which weakens the Conditional Access model.
Would appreciate any insights or experiences.
Thanks!
