This week a quick tip about enabling browser access on Android Enterprise Corporate-Owned Fully Managed devices and Android Enterprise Corporate-Owned devices with Work Profile, to work with device-based Conditional Access. That will enable the user to eventually use different apps for accessing company data. That includes for example using the Chrome browser app for accessing SharePoint Online or Exchange Online. On the Android Enterprise devices, this requires a configuration in the Microsoft Authenticator app. In this post I’ll simply provide the steps that are required within the Microsoft Authenticator app.
Note: Before providing the mentioned steps, a big thank you to Pat Freeman for pointing me in the right direction.
Enable browser access in the Microsoft Authenticator app
When knowing the availability of the setting, it’s actually quite simple, but it wasn’t mentioned in the documentation. Eventually it only takes a few simple steps that are described below including screenshots.
- Open the Microsoft Authenticator app and navigate to the three dots > Settings as shown in Figure 1
- On the Settings page, scroll down to Work or school accounts and select Device registration as shown in Figure 2
- On the Device registration page, select Enable browser access as shown in Figure 3
Figure 1: Microsoft Authenticator app enable browser access – Screen 1
Figure 2: Microsoft Authenticator app enable browser access – Screen 2
Figure 3: Microsoft Authenticator app enable browser access – Screen 3
- On the Enable browser access pop-up, select CONTINUE as shown in Figure 4
- On the Activate device admin app page, read the information and select Activate as shown in Figure 5
- Back on the Device registration page, a message with Browser access enabled will show as shown in Figure 6
Figure 4: Microsoft Authenticator app enable browser access – Screen 4
Figure 5: Microsoft Authenticator app enable browser access – Screen 5
Figure 6: Microsoft Authenticator app enable browser access – Screen 6
After performing these steps, access will be available. That includes access via the Chrome browser app. It does, however, often requires a restart of the Chrome browser app.
Note: This configuration is similar as for Android Enterprise Personally-Owned devices with Work Profile. However, that configuration was performed in the Company Portal app and isn’t needed anymore starting December 2020.
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
I really hate that this must be done manually on every device and there is no App config for this, as well as Allowed Accounts mode support for Authenticator to pre-provision the UPN and make user’s life a bit simpler.
In general, all O365 apps for Android look like 3rd class citizens compared to their iOS counterparts. 🙁
Sorry A, at this moment it’s a manual action for the user as it requires the user to provide (device admin) permissions.
Regards, Peter
Hi, is there any way to set this automatically, or it still requires a manual user side configuration even in 2023? Thx
Nowadays you don’t need to configure this anymore.
Regards, Peter
I asked because I have a freshly enrolled COPE android device (we are testing COPE enrolment) and in the work profile MS Authenticator has the option to “Enable browser access”. It does not indicate that browser access is already enabled.
Fair question. It should work by default. Let me know if you experience anything different.
Regards, Peter
Hi Peter, we’re just testing this because the device ID was not getting passed on to Entra when a user initiates a login to an Enterprise app and it appears to fix the issue.
Note: all the O365 apps worked fine, but our own Enterprise apps configured in Azure did not.
So it seems there is a crucial missing link on MS side where you do still need to do these manual steps if you have Enterprise apps where you have Conditional Access policies with a dependency on the device ID being presented at logon.
Does that line up with what you know?
Hi Leo,
I wasn’t aware of that. Only for devices that have been enrolled for a long time (like before January 2021).
Regards, Peter
Also, compared to native MSAL in Edge (which has its quirks) this mode does just a simple cert-based auth – even when device becomes non-compliant and other apps like Teams stop working, the MyApps or Office portals still work, including opening OWA etc. even after auth tokens are revoked. Seems like they cache some cookies in the browser and do not re-check conditional access when CBA is used. Or maybe this is the AAD propagation delay between different endpoints – go figure…
Why would I want to turn this on?
That used to be a requirement to get access via browser to company data. Nowadays that configuration should be installation default.
Regards, Peter