From 0270f28c8024009bde4885303adb9ef3bfed2771 Mon Sep 17 00:00:00 2001 From: Chi Yao Date: Thu, 16 Apr 2026 08:44:24 -0700 Subject: [PATCH 1/2] Adding Apple Secure Enclave explanation Clarified requirements for Apple devices that use Secure Enclave in relation to Conditional Access policies. --- .../conditional-access/concept-conditional-access-grant.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/identity/conditional-access/concept-conditional-access-grant.md b/docs/identity/conditional-access/concept-conditional-access-grant.md index beab9696f63..eb146baa920 100644 --- a/docs/identity/conditional-access/concept-conditional-access-grant.md +++ b/docs/identity/conditional-access/concept-conditional-access-grant.md @@ -69,6 +69,8 @@ The **Require device to be marked as compliant** control: > [!NOTE] > On Windows, iOS, Android, macOS, and some non-Microsoft web browsers, Microsoft Entra ID identifies the device by using a client certificate that is provisioned when the device is registered with Microsoft Entra ID. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser. +> +> For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) You can use the Microsoft Defender for Endpoint app with the approved client app policy in Intune to set the device compliance policy to Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while you're setting up Conditional Access. Although Microsoft Defender for Endpoint on Android and iOS (app ID dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access. @@ -235,4 +237,4 @@ Custom controls are a preview capability of Microsoft Entra ID. Using custom con - [Conditional Access common policies](concept-conditional-access-policy-common.md) -- [Report-only mode](concept-conditional-access-report-only.md) \ No newline at end of file +- [Report-only mode](concept-conditional-access-report-only.md) From f5562c5f3b638ff200ad70faa650f0ea403f5033 Mon Sep 17 00:00:00 2001 From: Diana Richards Date: Tue, 21 Apr 2026 16:08:38 -0500 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../conditional-access/concept-conditional-access-grant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/identity/conditional-access/concept-conditional-access-grant.md b/docs/identity/conditional-access/concept-conditional-access-grant.md index eb146baa920..f67e303b558 100644 --- a/docs/identity/conditional-access/concept-conditional-access-grant.md +++ b/docs/identity/conditional-access/concept-conditional-access-grant.md @@ -70,7 +70,7 @@ The **Require device to be marked as compliant** control: > [!NOTE] > On Windows, iOS, Android, macOS, and some non-Microsoft web browsers, Microsoft Entra ID identifies the device by using a client certificate that is provisioned when the device is registered with Microsoft Entra ID. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser. > -> For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug‑in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug‑in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug‑in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) +> For Apple devices as Microsoft Entra ID transitions the storage of device identity keys from Apple Keychain to Apple Secure Enclave, the Microsoft Enterprise SSO plug-in for Apple devices must be enabled for applications that do not use the Microsoft Authentication Library (MSAL), including Safari. Enabling the Enterprise SSO plug-in ensures that these applications can participate in device-based authentication required by Conditional Access policies, such as Require device to be marked as compliant and Filter for devices condition. For more information about this transition to Apple Secure Enclave, see [Microsoft Enterprise SSO plug-in for Apple devices – Microsoft identity platform on Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#device-identity-key-storage) You can use the Microsoft Defender for Endpoint app with the approved client app policy in Intune to set the device compliance policy to Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while you're setting up Conditional Access. Although Microsoft Defender for Endpoint on Android and iOS (app ID dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access.