Microsoft provides several different services that check to see if you are on an untrusted device, even when accessing them from the browser. For example, they can be banned from SharePoint and OneDrive.
The documentation seems to claim that this is based on the device itself, not the network segment the device is connecting from. How can a web service, running in the context of the browser, determine reliably if a device is authorized? Are there browser-level APIs that this hooks into? What are the risks of a malicious user spoofing whatever characteristics are being checked for?
