Question on accessing onprem and cloud applications from Intune BYOD Mobile devices

%3CLINGO-SUB%20id%3D%22lingo-sub-365104%22%20slang%3D%22en-US%22%3EQuestion%20on%20accessing%20onprem%20and%20cloud%20applications%20from%20Intune%20BYOD%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-365104%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EMy%20Organization%20is%20doing%20a%20POC%20for%20Intune%20and%20have%20plans%20to%20migrate%20to%20Intune%20based%20BYOD%20solution.%20We%20are%20trying%20to%20find%20a%20solution%20to%20access%20on-prem%20and%20Cloud%20based%20applications%20from%20Intune%20managed%20browser%20(Edge%20or%20Managed%20browser)%20on%20iOS%20and%20Android.%3CBR%20%2F%3EMy%20understand%20is%2C%20we%20can%20use%20Azure%20AD%20Application%20Proxy%20as%20the%20solution%20to%20access%20Onprem%20Applications%20from%20mobile%20devices.%20And%26nbsp%3Bwe%20can%20access%20Clod%20Applications%20using%20Microsoft%20Cloud%20App%20Security.%20Few%20of%20the%20cloud%20application%20we%20have%20to%20access%20from%20mobile%20devices%20are%20Sales%20force%2C%20Service%20Now%2C%20Concur%20solutions%20...%3CBR%20%2F%3EI%20am%20referring%20the%20below%20link%20to%20find%20details%20about%20the%20MCAS%20solution.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fwhat-is-cloud-app-security%23architectureAfter%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fwhat-is-cloud-app-security%23architectureAfter%3C%2FA%3Egoing%20through%20the%20above%20link%20and%20couple%20of%20videos%2C%20I%20have%20below%20questions.%3CBR%20%2F%3E1.%20Can%20you%20confirm%20my%20understanding%20is%20correct%20-%20Azure%20AD%20Application%20Proxy%20helps%20t%20connect%20to%20onprem%20applications%20and%20MCAS%20is%20the%20solution%20to%20access%20Cloud%20Aplications.%3CBR%20%2F%3E2.%20Our%20cloud%20applications%20have%20specific%20access%20rules%20where%20it%20allows%20only%20access%20from%20internal%20corporate%20network.%20Can%20we%20still%20use%20MCAS%20to%20access%20those%20cloud%20applications%20from%20mobile%20devices%3F%20If%20there%20are%20any%20ips%20to%20be%20white-listed%20on%20the%20Cloud%20applications%2C%20can%20you%20list%20them%3F%20Our%20cloud%20applications%20are%20ADFS%20integrated.%3CBR%20%2F%3E3.%20If%20there%20are%20any%20guidelines%2C%20deployment%20documents%20or%20diagram%20which%20would%20assist%2C%20please%20share.%3CBR%20%2F%3ENote%3A%3CBR%20%2F%3EWe%20have%20a%20federated%20Azure%20AD%20environment%20with%20fall%20back%20to%20password%20hash%20sync.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-365104%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376629%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%20accessing%20onprem%20and%20cloud%20applications%20from%20Intune%20BYOD%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376629%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283691%22%20target%3D%22_blank%22%3E%40Maya_Antony%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20whitelist%20you%20are%20maintaining%20at%20the%20application%20level%20could%20easily%20be%20configured%20at%20the%20Azure%20AD%20level%2C%20with%20IP%20reputation%20check%20in%20addition%2C%20plus%20verifying%20if%20the%20device%20is%20managed%20by%20your%20organization.%20This%20is%20one%20of%20the%20reason%20I'm%20recommending%20this%20approach.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegarding%20the%20redirection%20to%20MCAS%20before%20reaching%20the%20application%2C%20this%20is%20not%20possible%20as%20this%20is%20something%20done%20at%20the%20identity%20provider%20level.%20The%20IdP%20verify%20the%20conditions%20(user%2C%20app%2C%20device%2C%20risk%2C%20...)%20and%20is%20the%20one%20that%20decides%20if%20the%20session%20must%20be%20redirected%20to%20the%20reverse%20proxy%20before%20going%20to%20the%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-372001%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%20accessing%20onprem%20and%20cloud%20applications%20from%20Intune%20BYOD%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-372001%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20so%20much%20for%20your%20detailed%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20follow%20up%20questions%20on%20your%20below%20response%20in%20%232%3C%2FP%3E%3CP%3E%22%3CSPAN%3EI%20would%20recommend%20here%20another%20approach%20which%20would%20be%20to%20move%20your%20cloud%20applications%20to%20Azure%20AD%20so%20you%20can%20benefit%20of%20Azure%20AD%20Conditional%20Access%20capabilities%2C%20like%20preventing%20access%20from%20a%20risky%20IP%20or%20allowing%20connection%20only%20from%20managed%20and%20compliant%20devices%20(information%20coming%20from%20AAD%20and%20Intune).%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EOur%20Cloud%20applications%20are%20already%20using%20Single%20sign-on%20using%20ADFS.%20But%20the%20applications%20still%20keeps%20a%20white-listing%20ips%20and%20disallow%20everything%20else.%3C%2FP%3E%3CP%3EWhen%20users%20access%20the%20cloud%20app%20URL%20(eg%3A%20Service%20Now)%20from%20mobile%20device%2C%3C%2FP%3E%3CP%3Ea.%20The%20request%20first%20goes%20to%20Service%20Now%20which%20has%20a%20ip%20white-list.%3C%2FP%3E%3CP%3Eb.%20Then%20redirected%20to%20ADFS.%3C%2FP%3E%3CP%3ERequest%20is%20rejected%20by%20Service%20Now%20(in%20step%20a)%26nbsp%3B%20before%20it%20hit%20ADFS.%26nbsp%3BIs%20there%20a%20way%20to%20force%20my%20requests%20go%20through%20Campus%20Proxy%20or%20MCAS%20Reverse%20Proxy%20before%20it%20hits%20%22step%20a%22%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369928%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%20accessing%20onprem%20and%20cloud%20applications%20from%20Intune%20BYOD%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369928%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F283691%22%20target%3D%22_blank%22%3E%40Maya_Antony%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E1.%20Can%20you%20confirm%20my%20understanding%20is%20correct%20-%20Azure%20AD%20Application%20Proxy%20helps%20to%20connect%20to%20onprem%20applications%20and%20MCAS%20is%20the%20solution%20to%20access%20Cloud%20Aplications.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20AAD%20App%20proxy%20provide%20external%20access%20to%20on-prem%20apps%20without%20VPN.%20This%20feature%20allow%20you%20to%20benefit%20of%20the%20AAD%20Conditional%20Access%20capabilities%20for%20on-premises%20apps.%3C%2FP%3E%0A%3CP%3ECloud%20App%20Security%20%3CU%3Eextends%3C%2FU%3Ethe%20AAD%20Conditional%20Access%20capabilities%20with%20App%20Control%20(details%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-intro-aad%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%26nbsp%3B)%20for%20SaaS%20apps%2C%20but%20also%20%3CSTRONG%3Eon-premises%20applications%3C%2FSTRONG%3Epublished%20by%20AAD%20App%20Proxy.%20You%20could%20then%20use%20MCAS%20to%20restrict%2Fprotect%20download%20to%20unmanaged%20devices%20or%20outside%20your%20organization.%20A%20typical%20example%20would%20be%20on-premises%20SharePoint%20sites.%3CBR%20%2F%3EThis%20feature%20is%20currently%20in%20private%20preview.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E2.%20Our%20cloud%20applications%20have%20specific%20access%20rules%20where%20it%20allows%20only%20access%20from%20internal%20corporate%20network.%20Can%20we%20still%20use%20MCAS%20to%20access%20those%20cloud%20applications%20from%20mobile%20devices%3F%20If%20there%20are%20any%20ips%20to%20be%20white-listed%20on%20the%20Cloud%20applications%2C%20can%20you%20list%20them%3F%20Our%20cloud%20applications%20are%20ADFS%20integrated.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EI%20would%20recommend%20here%20another%20approach%20which%20would%20be%20to%20move%20your%20cloud%20applications%20to%20Azure%20AD%20so%20you%20can%20benefit%20of%20Azure%20AD%20Conditional%20Access%20capabilities%2C%20like%20preventing%20access%20from%20a%20risky%20IP%20or%20allowing%20connection%20only%20from%20managed%20and%20compliant%20devices%20(information%20coming%20from%20AAD%20and%20Intune).%3C%2FP%3E%0A%3CP%3EMCAS%20could%20then%20extend%20your%20scenario%20by%20preventing%20download%20of%20sensitive%20files%20in%20some%20conditions.%3C%2FP%3E%0A%3CP%3EIf%20moving%20to%20AAD%20is%20not%20an%20option%2C%20we%20currently%20have%20a%20private%20preview%20to%20support%203rd%20party%20IDPs%20(AD%20FS%2C%20Okta%2C%20...)%2C%20but%20the%20effort%20to%20implement%20it%20will%20be%20similar%20to%20move%20your%20apps%20to%20Azure%20AD%2C%20as%20we%20have%20to%20modify%20your%20federations%20to%20integrate%20MCAS.%3CBR%20%2F%3EI%20would%20also%20be%20currious%20to%20understand%20why%20you%20don't%20want%20to%20use%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3E3.%20If%20there%20are%20any%20guidelines%2C%20deployment%20documents%20or%20diagram%20which%20would%20assist%2C%20please%20share.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EFor%20apps%20federated%20with%20Azure%20AD%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EFor%20apps%20having%20an%20App%20Connector%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fenable-instant-visibility-protection-and-governance-actions-for-your-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fenable-instant-visibility-protection-and-governance-actions-for-your-apps%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-368277%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%20accessing%20onprem%20and%20cloud%20applications%20from%20Intune%20BYOD%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-368277%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,
My Organization is doing a POC for Intune and have plans to migrate to Intune based BYOD solution. We are trying to find a solution to access on-prem and Cloud based applications from Intune managed browser (Edge or Managed browser) on iOS and Android.
My understand is, we can use Azure AD Application Proxy as the solution to access Onprem Applications from mobile devices. And we can access Clod Applications using Microsoft Cloud App Security. Few of the cloud application we have to access from mobile devices are Sales force, Service Now, Concur solutions ...
I am referring the below link to find details about the MCAS solution.
https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security#architectureAfter going through the above link and couple of videos, I have below questions.
1. Can you confirm my understanding is correct - Azure AD Application Proxy helps t connect to onprem applications and MCAS is the solution to access Cloud Aplications.
2. Our cloud applications have specific access rules where it allows only access from internal corporate network. Can we still use MCAS to access those cloud applications from mobile devices? If there are any ips to be white-listed on the Cloud applications, can you list them? Our cloud applications are ADFS integrated.
3. If there are any guidelines, deployment documents or diagram which would assist, please share.
Note:
We have a federated Azure AD environment with fall back to password hash sync.

4 Replies
Highlighted
Highlighted

@Maya_Antony 

 

1. Can you confirm my understanding is correct - Azure AD Application Proxy helps to connect to onprem applications and MCAS is the solution to access Cloud Aplications.

 

Yes, AAD App proxy provide external access to on-prem apps without VPN. This feature allow you to benefit of the AAD Conditional Access capabilities for on-premises apps.

Cloud App Security extends the AAD Conditional Access capabilities with App Control (details here ) for SaaS apps, but also on-premises applications published by AAD App Proxy. You could then use MCAS to restrict/protect download to unmanaged devices or outside your organization. A typical example would be on-premises SharePoint sites.
This feature is currently in private preview.


2. Our cloud applications have specific access rules where it allows only access from internal corporate network. Can we still use MCAS to access those cloud applications from mobile devices? If there are any ips to be white-listed on the Cloud applications, can you list them? Our cloud applications are ADFS integrated.

I would recommend here another approach which would be to move your cloud applications to Azure AD so you can benefit of Azure AD Conditional Access capabilities, like preventing access from a risky IP or allowing connection only from managed and compliant devices (information coming from AAD and Intune).

MCAS could then extend your scenario by preventing download of sensitive files in some conditions.

If moving to AAD is not an option, we currently have a private preview to support 3rd party IDPs (AD FS, Okta, ...), but the effort to implement it will be similar to move your apps to Azure AD, as we have to modify your federations to integrate MCAS.
I would also be currious to understand why you don't want to use Azure AD.


3. If there are any guidelines, deployment documents or diagram which would assist, please share.

For apps federated with Azure AD: https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-aad

For apps having an App Connector: https://docs.microsoft.com/en-us/cloud-app-security/enable-instant-visibility-protection-and-governa...

 

 

Highlighted

@Sebastien Molendijk

 

Thank you so much for your detailed response.

 

I have follow up questions on your below response in #2

"I would recommend here another approach which would be to move your cloud applications to Azure AD so you can benefit of Azure AD Conditional Access capabilities, like preventing access from a risky IP or allowing connection only from managed and compliant devices (information coming from AAD and Intune)."

Our Cloud applications are already using Single sign-on using ADFS. But the applications still keeps a white-listing ips and disallow everything else.

When users access the cloud app URL (eg: Service Now) from mobile device,

a. The request first goes to Service Now which has a ip white-list.

b. Then redirected to ADFS.

Request is rejected by Service Now (in step a)  before it hit ADFS. Is there a way to force my requests go through Campus Proxy or MCAS Reverse Proxy before it hits "step a"?

Highlighted

@Maya_Antony 

 

The whitelist you are maintaining at the application level could easily be configured at the Azure AD level, with IP reputation check in addition, plus verifying if the device is managed by your organization. This is one of the reason I'm recommending this approach.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

 

Regarding the redirection to MCAS before reaching the application, this is not possible as this is something done at the identity provider level. The IdP verify the conditions (user, app, device, risk, ...) and is the one that decides if the session must be redirected to the reverse proxy before going to the app.