Forum Discussion
Question on accessing onprem and cloud applications from Intune BYOD Mobile devices
Thank you so much for your detailed response.
I have follow up questions on your below response in #2
"I would recommend here another approach which would be to move your cloud applications to Azure AD so you can benefit of Azure AD Conditional Access capabilities, like preventing access from a risky IP or allowing connection only from managed and compliant devices (information coming from AAD and Intune)."
Our Cloud applications are already using Single sign-on using ADFS. But the applications still keeps a white-listing ips and disallow everything else.
When users access the cloud app URL (eg: Service Now) from mobile device,
a. The request first goes to Service Now which has a ip white-list.
b. Then redirected to ADFS.
Request is rejected by Service Now (in step a) before it hit ADFS. Is there a way to force my requests go through Campus Proxy or MCAS Reverse Proxy before it hits "step a"?
Microsoft
The whitelist you are maintaining at the application level could easily be configured at the Azure AD level, with IP reputation check in addition, plus verifying if the device is managed by your organization. This is one of the reason I'm recommending this approach.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
Regarding the redirection to MCAS before reaching the application, this is not possible as this is something done at the identity provider level. The IdP verify the conditions (user, app, device, risk, ...) and is the one that decides if the session must be redirected to the reverse proxy before going to the app.