Hello, we have an enterprise license with SSO activated against our Entra/AzureAD directory with OIDC (Microsoft Entra ID OIDC Implementation | Bitwarden Help Center). Logins work fine, but we are now looking to add a Conditional Access policy in Entra to make sure our users only login to the vault using a browser that’s Entra joined and compliant. For other apps in our tenant this is working fine, but for some reason, logins from the Bitwarden SSO app don’t seem to read the device status properly, and the CA policy rejects the login because the app can’t determine the device status. We see this in the signin logs as well - no device information is populated here. Is there anything we are missing in our app registration / enterprise app config to get this working properly? We have our users signed in to Edge and have the Windows Accounts extension loaded in Chrome, so all users are able to sign in with their Windows credentials - just not for the Bitwarden app, so clearly something’s different with this one (we have hundreds of other apps that work fine). Any ideas?
Log entry from a working app in Edge browser:
Log entry from Bitwarden in same browser as above:
Log entry from Bitwarden in Chrome with Windows Accounts extension loaded: