Microsoft
Microsoft
MicrosoftHI TonyJ25
You are 100% correct. If you continue to send the authentication traffic down the VPN so it can be egressed through your corporate internet connection then IP based conditional access rules will continue to apply, even though the user is able to connect directly to the service endpoint for the split tunnelled (Optimize marked) endpoints.
For example you may set a rule that authentication tokens for your tenant are only issued if the auth request originates from an IP block you own. Obviously this will then cause remote users doing direct authentication to fail, as the source will be their ISP's IP address.
However, authentication traffic is relatively low volume and not massively latency sensitive so is absolutely fine to continue to hairpin this through a corporate VPN.
That way the only way someone outside your corporate network can get a token to access your Office 365 tenant is:
A. They have the correct credentials to do so
and also
B. They also have a device with the rights and configuration to be able to VPN into your corporate network to send the authentication request via there.
If you're using Tenant restrictions to prevent authentication to untrusted tenants then this will also continue to apply if auth traffic is sent into the corporate network via the VPN, the proxy implementing the feature will continue to manage the traffic and apply the policies set.
Once they have the relevant token, this can then be used to access the service endpoint directly via the split tunnel. This way we continue to ensure a high level of security whilst bypassing the VPN bottleneck for the high volume and latency sensitive traffic to/from the service.
You can obviously add other conditional access elements where necessary such as User Attributes, Device state, Application, Risk etc and make risk based decisions based on the results such as Block, Allow, Require MFA. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview gives a good overview.
Hope that helps!