Conditional Access using certificate from Internal PKI

%3CLINGO-SUB%20id%3D%22lingo-sub-289296%22%20slang%3D%22en-US%22%3EConditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-289296%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHi%20all%2C%3CBR%20%2F%3E%3CBR%20%2F%3EFairly%20new%20to%20Conditional%20Access.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20a%20scenario%20where%20we%20want%20to%20stop%20users%20accessing%20Office%20365%20applications%20if%20they%20are%20coming%20in%20from%20an%20external%20connection%20and%20don't%20have%20a%20certificate%20present%20issued%20by%20our%20internal%20PKI.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EIs%20there%20a%20policy%20that%20we%20can%20configure%20in%20conditional%20access%20that%20says%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20coming%20in%20from%20an%20external%20connection%2C%20look%20for%20a%20user%2Fcomputer%20certificate%20on%20this%20device%20(be%20that%20laptop%20or%20mobile)%20and%20if%20present%20allow%20access.%20If%20not%20present%2C%20block%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EPrimarily%20the%20goal%20is%20to%20stop%20users%20accessing%20Office%20365%20from%20non%20corporate%2C%20external%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20seems%20to%20fit%20the%20bill%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fcloud-app-security%2Fproxy-deployment-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fcloud-app-security%2Fproxy-deployment-aad%3C%2FA%3E%20am%20I%20on%20the%20right%20track%20here%3F%20Could%20configure%20an%20app%20control%20policy%20for%20Office%20365%2C%20and%20add%20a%20device%20control%2Ftag%20to%20specify%20a%20valid%20client%20certificate%20is%20required%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%3CBR%20%2F%3END%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-289296%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290132%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290132%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Natalie%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20are%20exactly%20right.%20You%20can%20create%20an%20Azure%20AD%20conditional%20access%20policy%20that%20routes%20traffic%20to%20Cloud%20App%20Security.%20In%20Cloud%20App%20Security%2C%20you%20would%20then%20upload%20the%20root%20or%20intermediate%20cert%2C%20and%20create%20an%20access%20policy%20that%20has%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20conditions%3A%3C%2FP%3E%0A%3CP%3EDevice%20tag%20%7C%20does%20not%20equal%20%7C%20Valid%20client%20certificate%3C%2FP%3E%0A%3CP%3EApp%20%7C%20%5Brelevant%20applications%20go%20here%5D%3C%2FP%3E%0A%3CP%3EIP%20address%20%7C%20category%20%7C%20does%20not%20equal%20%7C%20Corporate%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20resulting%20controls%3A%3C%2FP%3E%0A%3CP%3EBlock%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20need%20help%20with%20this%2C%20feel%20free%20to%20reach%20me%20at%20alex.esibov%40microsoft.com%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-644210%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-644210%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20tried%20implementing%20this%20with%20absolutely%20no%20success%20whatsoever.%20I've%20put%20out%20internal%20and%20root%20certificate%20in%20MCAS.%20Created%20my%20conditional%20access%20policy.%20I%20can%20see%20alerts%20from%20my%20policy%20so%20I%20know%20the%20conditional%20access%20policy%20is%20running%20and%20the%20policy%20is%20triggered.%20But%20it%20seems%20MCAS%20is%20simply%20unable%20to%20make%20any%20certificate%20comparison%20so%20just%20blocks%20everything.%20Certificate%20or%20no%20certificate.%20There%20seems%20little%20detail%20on%20this.%20Which%20browsers%20are%20supported%3F%20Should%20it%20prompt%20when%20attempting%20to%20verify%20the%20certificate%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1050136%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1050136%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2494%22%20target%3D%22_blank%22%3E%40Kevin%20Spreadbury%3C%2FA%3E%26nbsp%3Bwe're%20having%20the%20same%20issues%2C%20any%20resolutions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1305058%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305058%22%20slang%3D%22en-US%22%3EHey%20Kevin%2C%20did%20you%20ever%20get%20this%20fixed%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1313888%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313888%22%20slang%3D%22en-US%22%3EI'm%20having%20the%20same%20issue%20here.%20Did%20you%20have%20any%20update%20on%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1313935%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1313935%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461312%22%20target%3D%22_blank%22%3E%40rodrigobe%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20folks%2C%20it%20would%20be%20super%20helpful%20to%20get%20a%20support%20case%20number%20so%20I%20can%20track%20it%20with%20the%20team.%20You%20can%20reach%20out%20to%20me%20at%20%3CA%20href%3D%22mailto%3Aalex.esibov%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ealex.esibov%40microsoft.com%20%3C%2FA%3Eif%20you%20need%20help%20with%20this.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20general%2C%20the%20docs%20cover%20Client-Certificate%20Authenticated%20Devices%20in%20quite%20some%20detail%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%23managed-device-identification%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%23managed-device-identification%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20feel%20like%20this%20is%20missing%20explicit%20content%2C%20please%20let%20me%20know%20and%20we%20can%20work%20to%20update%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1315866%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315866%22%20slang%3D%22en-US%22%3EThanks%20for%20you%20reply%20Alex.%20I%20think%20I'll%20open%20a%20support%20case%20to%20get%20some%20help%20on%20this.%3CBR%20%2F%3EI%20read%20that%20article%20and%20I%20configured%20both%20conditional%20access%20and%20MCAS%20access%20policy%2C%20I%20uploaded%20the%20certificate%20(I%20tried%20only%20root%20CA%2C%20root%20%2B%20Intermediate%20CA%20and%20only%20intermediate%20CA)%20and%20in%20any%20case%20it%20didn't%20work.%3CBR%20%2F%3ELooking%20at%20some%20logs%20should%20be%20useful%20to%20see%20which%20part%20of%20the%20certificate%20validation%20is%20failing.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1316127%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1316127%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74084%22%20target%3D%22_blank%22%3E%40Ruairidh%20Campbell%3C%2FA%3E%26nbsp%3Bwe%20have%20this%20working.%20You%20have%20to%20use%20a%20user%20certificate%20that%20the%20user%20cannot%20export%20and%20not%20a%20machine%20certificate.%20Another%20thing%20to%20watch%20for%20is%20the%20user%20experience%20through%20different%20browers.%20the%20browser%20will%20prompt%20for%20a%20certificate%20(except%20Firefox%20which%20will%20just%20block).%20Put%20the%20MCAS%20redirect%20url%20in%20trusted%20sites%20and%20ensure%20browser%20settings%20do%20not%20prompt%20for%20a%20certificate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1329945%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1329945%22%20slang%3D%22en-US%22%3EAwesome%2C%20thanks%20for%20the%20tip.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1334876%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1334876%22%20slang%3D%22en-US%22%3ECan%20you%20elaborate%20on%20the%20redirect%20URL%3F%20Is%20this%20what%20site%20we%20expect%20to%20prompt%20for%20a%20client%20cert%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20%E2%80%9Cdo%20not%20prompt%20for%20a%20cert%E2%80%9D..Is%20this%20that%20setting%20that%20(more%20or%20less)%20says%20if%20there%E2%80%99s%20only%20one%20client%20cert%20go%20ahead%20and%20use%20it%3F%20And%20I%E2%80%99m%20assuming%20this%20is%20in%20the%20trusted%20sites%20zone%20settings%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20all%20working%20perfectly%20on%20macOS%2C%20but%20I%20can%E2%80%99t%20get%20it%20to%20ask%20for%20a%20cert%20on%20Win10.%20My%20Win10%20devices%20with%20certs%20are%20going%20directly%20to%20the%20CAS%20proxy%20in%20the%20browser.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1335153%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1335153%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396942%22%20target%3D%22_blank%22%3E%40Schebby%3C%2FA%3E%26nbsp%3B%20The%20redirect%20is%20the%20path%20appended%20by%20MCAS%20reverse%20proxy.%20So%20dependent%20on%20your%20region%20(mine%20is%20EU)%20the%20url%20looks%20like%20this%20and%20you%20can%20see%20in%20the%20address%20bar%20when%20MCAS%20adds%20it%20when%20visiting%20the%20address%20under%20certificate%20control.%3C%2FP%3E%3CP%3E%3CSTRONG%3Eeu.access-control.cas.ms%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ESo%20you%20add%20for%20example%20*.eu.access-control.cas.ms%20to%20the%20trusted%20sites%20zone.%20And%20yes%20you%20enable%20the%20setting%20in%20that%20zone%20for%20%22do%20not%20prompt%20for%20a%20cert%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1353487%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1353487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2494%22%20target%3D%22_blank%22%3E%40Kevin%20Spreadbury%3C%2FA%3E%26nbsp%3BI%20figured%20it%20out%20(with%20help%20from%20support)!%20It%20wasn't%20trusted%20sites%20or%26nbsp%3BAutoSelectCertificateForUrls%20(on%20Chrome%2FEdge%20(Chromium)%20side)%20at%20all%20(although%20I%20had%20already%20set%20that%20per%20your%20guidance).%20It%20was%20that%20I%20didn't%20have%20a%20client%20cert%20in%20the%20local%20user%20cert%20store.%20Apparently%2C%20(on%20Win10%20at%20least)%20the%20browsers%20won't%20look%20in%20the%20local%20machine%20cert%20store%20for%20client%20(identity)%20certs.%20I%20wasn't%20being%20prompted%20because%20nothing%20was%20available%20for%20the%20browsers%20to%20show.%20Once%20I%20added%20a%20cert%20to%20the%20local%20user%20cert%20store%2C%20it%20immediately%20started%20prompting%20(and%20working).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%20others...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357092%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20using%20certificate%20from%20Internal%20PKI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357092%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396942%22%20target%3D%22_blank%22%3E%40Schebby%3C%2FA%3E%26nbsp%3BHi%2C%20yes%20correct%20hence%20my%20comment%20above%20it%20needs%20to%20be%20a%20user%20certificate%20and%20not%20a%20machine%20certificate.%20You'll%20also%20need%20to%20ensure%20the%20certificate%20is%20not%20exportable%20by%20the%20user%20of%20course.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

Hi all,

Fairly new to Conditional Access.

I have a scenario where we want to stop users accessing Office 365 applications if they are coming in from an external connection and don't have a certificate present issued by our internal PKI.

Is there a policy that we can configure in conditional access that says:

 

I am coming in from an external connection, look for a user/computer certificate on this device (be that laptop or mobile) and if present allow access. If not present, block access.

Primarily the goal is to stop users accessing Office 365 from non corporate, external devices.

This seems to fit the bill: https://docs.microsoft.com/en-gb/cloud-app-security/proxy-deployment-aad am I on the right track here? Could configure an app control policy for Office 365, and add a device control/tag to specify a valid client certificate is required?

Regards
ND

 

 

13 Replies
Highlighted

Hi Natalie, 

 

You are exactly right. You can create an Azure AD conditional access policy that routes traffic to Cloud App Security. In Cloud App Security, you would then upload the root or intermediate cert, and create an access policy that has:

 

The following conditions:

Device tag | does not equal | Valid client certificate

App | [relevant applications go here]

IP address | category | does not equal | Corporate

 

The resulting controls:

Block

 

If you need help with this, feel free to reach me at alex.esibov@microsoft.com

 

Highlighted

I've tried implementing this with absolutely no success whatsoever. I've put out internal and root certificate in MCAS. Created my conditional access policy. I can see alerts from my policy so I know the conditional access policy is running and the policy is triggered. But it seems MCAS is simply unable to make any certificate comparison so just blocks everything. Certificate or no certificate. There seems little detail on this. Which browsers are supported? Should it prompt when attempting to verify the certificate?

Highlighted

@Kevin Spreadbury we're having the same issues, any resolutions?

Highlighted
Hey Kevin, did you ever get this fixed?
Highlighted
I'm having the same issue here. Did you have any update on this?
Highlighted

@rodrigobe 

Hi folks, it would be super helpful to get a support case number so I can track it with the team. You can reach out to me at alex.esibov@microsoft.com if you need help with this. 

 

In general, the docs cover Client-Certificate Authenticated Devices in quite some detail here: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#managed-device-identification

If you feel like this is missing explicit content, please let me know and we can work to update it.

Highlighted
Thanks for you reply Alex. I think I'll open a support case to get some help on this.
I read that article and I configured both conditional access and MCAS access policy, I uploaded the certificate (I tried only root CA, root + Intermediate CA and only intermediate CA) and in any case it didn't work.
Looking at some logs should be useful to see which part of the certificate validation is failing.
Highlighted

@Ruairidh Campbell we have this working. You have to use a user certificate that the user cannot export and not a machine certificate. Another thing to watch for is the user experience through different browers. the browser will prompt for a certificate (except Firefox which will just block). Put the MCAS redirect url in trusted sites and ensure browser settings do not prompt for a certificate.

Highlighted
Awesome, thanks for the tip.
Highlighted
Can you elaborate on the redirect URL? Is this what site we expect to prompt for a client cert?

Also, “do not prompt for a cert”..Is this that setting that (more or less) says if there’s only one client cert go ahead and use it? And I’m assuming this is in the trusted sites zone settings?

This is all working perfectly on macOS, but I can’t get it to ask for a cert on Win10. My Win10 devices with certs are going directly to the CAS proxy in the browser.
Highlighted

@Schebby  The redirect is the path appended by MCAS reverse proxy. So dependent on your region (mine is EU) the url looks like this and you can see in the address bar when MCAS adds it when visiting the address under certificate control.

eu.access-control.cas.ms

So you add for example *.eu.access-control.cas.ms to the trusted sites zone. And yes you enable the setting in that zone for "do not prompt for a cert".

Highlighted

@Kevin Spreadbury I figured it out (with help from support)! It wasn't trusted sites or AutoSelectCertificateForUrls (on Chrome/Edge (Chromium) side) at all (although I had already set that per your guidance). It was that I didn't have a client cert in the local user cert store. Apparently, (on Win10 at least) the browsers won't look in the local machine cert store for client (identity) certs. I wasn't being prompted because nothing was available for the browsers to show. Once I added a cert to the local user cert store, it immediately started prompting (and working). 

 

Hope this helps others... 

Highlighted

@Schebby Hi, yes correct hence my comment above it needs to be a user certificate and not a machine certificate. You'll also need to ensure the certificate is not exportable by the user of course.