Came across this issue today and spend some time troubleshooting it with a colleague. Figured, I should churn a blog post out of it in case it’s useful to others. It was a kind of non-issue once we got to the bottom of it.
Here’s what happens. Sometimes when users click on a link in Outlook for iOS, it opens up Edge and Edge prompts the user to register their device. We have been making some Intune related changes at work, so the question was whether this was related to that work. Turns out the answer is NO.
Logging into Outlook or Teams etc. does not force the device to be registered. And neither does opening the same link in Safari. It’s only opening that link via Edge which seems to force device registration.
During troubleshooting we noticed that Outlook seems to always open links in Edge. Irrespective of what the default iOS browser is, and even if we set Outlook (Settings > Open link in) to use the default browser or Chrome etc. Surely this can’t be a case of Microsoft being devious and forcing Edge upon users, can it? (To be honest, that is not an inconceivable scenario at this point; and just Googling on this issue brings up so many news articles or blog posts of Microsoft trying to push Edge down everywhere).
In this case though, turns out it wasn’t Microsoft, but us. If we uninstall Edge on the user device and try to open a link from Outlook, we are prompted to install it.
Interesting. Turns out this is because of an app protection policy we had in place. This has been in place for years actually, so it’s nothing new, but this setting is what forces Outlook to ask the user to install Edge.
Cool, so that explains that.
And why is Edge then trying to register the user? Is that some new nefarious behaviour? I don’t know if this has always been the case, but we came across this Microsoft article which that when Edge is performing SSO it requires the device to be registered.
Why? I have no idea. But at least that explains things. That also explains why this is not a widespread issue within the firm. Most iOS users are on the native mail client, so they are not affected at all when opening any links. It’s only Outlook for iOS users that are affected, and even then only those users who click a link that is protected by our Entra ID. So this is always been the case, nothing new here.
We also wrote a little KQL query to check our sign in logs to see what the trend has been for these sort of registration attempts over the past 6 months.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
let TimeRange = 180d; let NISignInLogs = AADNonInteractiveUserSignInLogs | where TimeGenerated > ago (TimeRange) // Need this to make the column names same between both logs | extend DeviceDetail = todynamic(DeviceDetail),ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies), LocationDetails = todynamic(LocationDetails), Status = todynamic(Status), MfaDetail = todynamic(MfaDetail),ProcessingTimeInMilliseconds = ProcessingTimeInMs | project-away ProcessingTimeInMs; SigninLogs | where TimeGenerated > ago (TimeRange) | union NISignInLogs | where ResultDescription == "Device is not Workplace joined - Workplace join is required to register the device." | extend operatingSystem = tolower(tostring(DeviceDetail.operatingSystem)) | where operatingSystem == "ios" | summarize by UserPrincipalName, Month = startofmonth(TimeGenerated) | summarize count = count() by Month |
That too showed that such registration attempts have been going on for a while.