Forum Discussion
Question on accessing onprem and cloud applications from Intune BYOD Mobile devices
Microsoft
1. Can you confirm my understanding is correct - Azure AD Application Proxy helps to connect to onprem applications and MCAS is the solution to access Cloud Aplications.
Yes, AAD App proxy provide external access to on-prem apps without VPN. This feature allow you to benefit of the AAD Conditional Access capabilities for on-premises apps.
Cloud App Security extends the AAD Conditional Access capabilities with App Control (details here ) for SaaS apps, but also on-premises applications published by AAD App Proxy. You could then use MCAS to restrict/protect download to unmanaged devices or outside your organization. A typical example would be on-premises SharePoint sites.
This feature is currently in private preview.
2. Our cloud applications have specific access rules where it allows only access from internal corporate network. Can we still use MCAS to access those cloud applications from mobile devices? If there are any ips to be white-listed on the Cloud applications, can you list them? Our cloud applications are ADFS integrated.
I would recommend here another approach which would be to move your cloud applications to Azure AD so you can benefit of Azure AD Conditional Access capabilities, like preventing access from a risky IP or allowing connection only from managed and compliant devices (information coming from AAD and Intune).
MCAS could then extend your scenario by preventing download of sensitive files in some conditions.
If moving to AAD is not an option, we currently have a private preview to support 3rd party IDPs (AD FS, Okta, ...), but the effort to implement it will be similar to move your apps to Azure AD, as we have to modify your federations to integrate MCAS.
I would also be currious to understand why you don't want to use Azure AD.
3. If there are any guidelines, deployment documents or diagram which would assist, please share.
For apps federated with Azure AD: https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-aad
For apps having an App Connector: https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps
Thank you so much for your detailed response.
I have follow up questions on your below response in #2
"I would recommend here another approach which would be to move your cloud applications to Azure AD so you can benefit of Azure AD Conditional Access capabilities, like preventing access from a risky IP or allowing connection only from managed and compliant devices (information coming from AAD and Intune)."
Our Cloud applications are already using Single sign-on using ADFS. But the applications still keeps a white-listing ips and disallow everything else.
When users access the cloud app URL (eg: Service Now) from mobile device,
a. The request first goes to Service Now which has a ip white-list.
b. Then redirected to ADFS.
Request is rejected by Service Now (in step a) before it hit ADFS. Is there a way to force my requests go through Campus Proxy or MCAS Reverse Proxy before it hits "step a"?
- Sebastien Molendijk
The whitelist you are maintaining at the application level could easily be configured at the Azure AD level, with IP reputation check in addition, plus verifying if the device is managed by your organization. This is one of the reason I'm recommending this approach.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Regarding the redirection to MCAS before reaching the application, this is not possible as this is something done at the identity provider level. The IdP verify the conditions (user, app, device, risk, ...) and is the one that decides if the session must be redirected to the reverse proxy before going to the app.