How to restrict access by Device ID (Fingerprint?)
We want to limit access to previously registered devices. It seems that the solution would be to use the risk policies with Fingerprint, but all the information that it seems that we can capture from the device is descriptive (version, language, operating system, cpu, etc ...) but not identifying (serial number, Device ID, etc ...)
Do you know if it is possible to make a policy of this type? Is it possible to know the DeviceID or serial number in the authentication process?
What we are really looking for is to achieve something similar to Conditional Access in Azure AD, for example, not allowing access if the device is not managed by Intune.
Thanks for your ideas.
The issue you're running into is caused by browser security and the fact that browsers are sandboxed to explicitly block access to such information. From the browser, you can only get allowed data unless you add some executable/extension that bypasses browser security. Without this, your best option is fingerprinting or persistent cookies.
With fingerprint can we unequivocally identify a device? Surely it is that I do not know enough how fingerprint works, but I cannot see how we can identify it other than by its characteristics.
Would there be a way to leave a fingerprint or token on the device that allows us to identify it? For example, through Intune we distribute a permanent cookie. If the device has this cookie, I recognize it as a trusted device.
Yes, a cookie with the IDP domain can be used in this way. The issue is getting it installed in the browser. The persistent authN class can do this but it requires you authenticate some other way before you lay the cookie down.
The issue is that this will need to be done separately for each browser they might use and I'm not even sure it's possible on mobile devices.
The idea is to control access based on whether the device is managed by Intune, so perhaps it is possible to distribute this cookie through Intune itself, which would be proof that it is a device managed by the organization.