Forum Discussion

Natalie Dellar's avatar
Natalie Dellar
Copper Contributor
Nov 20, 2018

Conditional Access using certificate from Internal PKI

Hi, Hi all, Fairly new to Conditional Access. I have a scenario where we want to stop users accessing Office 365 applications if they are coming in from an external connection and don't have...
Cloud App Security
Alex Esibov's avatar
Alex Esibov
Brass Contributor
Nov 21, 2018

Hi Natalie, 

 

You are exactly right. You can create an Azure AD conditional access policy that routes traffic to Cloud App Security. In Cloud App Security, you would then upload the root or intermediate cert, and create an access policy that has:

 

The following conditions:

Device tag | does not equal | Valid client certificate

App | [relevant applications go here]

IP address | category | does not equal | Corporate

 

The resulting controls:

Block

 

If you need help with this, feel free to reach me at alex.esibov@microsoft.com

 

  • Kevin Spreadbury's avatar
    Kevin Spreadbury
    Brass Contributor
    May 24, 2019

    I've tried implementing this with absolutely no success whatsoever. I've put out internal and root certificate in MCAS. Created my conditional access policy. I can see alerts from my policy so I know the conditional access policy is running and the policy is triggered. But it seems MCAS is simply unable to make any certificate comparison so just blocks everything. Certificate or no certificate. There seems little detail on this. Which browsers are supported? Should it prompt when attempting to verify the certificate?

    • rodrigobe's avatar
      rodrigobe
      Copper Contributor
      Apr 16, 2020
      I'm having the same issue here. Did you have any update on this?
      • Alex Esibov's avatar
        Alex Esibov
        Brass Contributor
        Apr 16, 2020

        rodrigobe 

        Hi folks, it would be super helpful to get a support case number so I can track it with the team. You can reach out to me at mailto:alex.esibov@microsoft.comif you need help with this. 

         

        In general, the docs cover Client-Certificate Authenticated Devices in quite some detail here: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#managed-device-identification

        If you feel like this is missing explicit content, please let me know and we can work to update it.

    • Ru's avatar
      Ru
      MVP
      Apr 14, 2020
      Hey Kevin, did you ever get this fixed?
      • Kevin Spreadbury's avatar
        Kevin Spreadbury
        Brass Contributor
        Apr 17, 2020

        Ru we have this working. You have to use a user certificate that the user cannot export and not a machine certificate. Another thing to watch for is the user experience through different browers. the browser will prompt for a certificate (except Firefox which will just block). Put the MCAS redirect url in trusted sites and ensure browser settings do not prompt for a certificate.

    • erinboris's avatar
      erinboris
      Copper Contributor
      Dec 05, 2019

      Kevin Spreadbury we're having the same issues, any resolutions?

Resources