Skip to main content
OMEGASquad
OMEGASquad
Participant
March 23, 2026
Question

Adobe Acrobat Sign-In with Device-Aware Conditional Access

  • March 23, 2026
  • 1 reply
  • 17 views

Hello, I am working for an enterprise working with Acrobat native desktop apps rather than browser-based tools. We have conditional access policies in place via Azure Conditional Access. The rules include device-aware granting and blocking, meaning that users must have a compliant device to be able to access the app after successful authentication. Unfortunately, the Acrobat desktop apps do not send any information about the client and thus, the access is refused. It all comes down to the Primary Refresh Token not being transmitted with the authentication request of the app. If the Adobe team used the MSAL library, this would solve this problem. Can you please have a look at this issue?

    1 reply

    S_S
    Community Manager
    S_SCommunity Manager
    Community Manager
    March 30, 2026

    Hi @OMEGASquad,


    Hope you are doing well. Thanks for writing in!


    Acrobat desktop applications do not use Microsoft’s MSAL-based authentication flow, which means:

    • The app does not pass the Primary Refresh Token (PRT) from the device

    • As a result, device compliance and hybrid Azure AD join-state cannot be evaluated

    • Azure Conditional Access policies that require:

      • Compliant device

      • Hybrid Azure AD joined device

    will block access, even after successful user authentication

    In short, the sign-in succeeds, but Conditional Access fails during token evaluation because device claims are missing.


    Let's understand why this happens:

    • Acrobat uses a browser-based OAuth flow (system browser / embedded webview) rather than native MSAL integration

    • Device identity (PRT) is only passed when apps use:

      • MSAL

      • Windows Account Manager (WAM)

    Since Acrobat does not currently leverage these, Azure AD cannot validate device state.


    You might want to try the steps mentioned below:


    Adjust Conditional Access policy

    Modify the policy to exclude Adobe Acrobat from strict device-based enforcement:

    • Go to Azure Portal → Conditional Access

    • Edit the affected policy

    • Under Cloud apps or actions, exclude Adobe-related apps (e.g., “Adobe Acrobat” or “Adobe Document Cloud”)

    • Or relax the grant control:

      • Replace “Require compliant device” with:

        • Require MFA

        • or Require approved client app (if applicable)


    Use Named Locations or Filters

    If full exclusion is not acceptable:

    • Allow access from:

      • Trusted IP ranges (corporate network)

    • Or use device filters to scope the policy more narrowly


    Hope this helps.


    Regards,
    Souvik

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices