Conditional Access is great. However, when it comes to managed devices it only allows to check for Hybrid Azure AD join and Intune compliance. With Microsoft Cloud App Security (MCAS), we can also require a certificate to be present on the client to get access. In this post I’ll show you how to do that. So yes, Conditional Access using certificates is possible although we need help from Microsoft CASB solution.
What we will do in short: a Conditional Access policy will redirect our demo user Adele to be in scope of MCAS’ Conditional Access App Control. This will allow us to configure Session and Access policies in MCAS that are able to check for the client certificate.
Preparing Conditional Access to use certificates
The preparations on the Conditional Access side are quite simple. All we have to do is make sure that users are redirected to MCAS’ Conditional Access App Control with the “Use custom policy…” option.
That’s all I configured for Adele here. For all of her session she will be in scope of MCAS.
If you only want to have certain session in MCAS you can achieve this by defining other Conditional Access conditions like the device platform, location, or device filters.
Preparing Microsoft Cloud App Security
First, we need to add the root or intermediate CA to MCAS using the PEM format. Of course, the public key must be present in the file. You can upload it in Settings (1) > Device identification (2) > Add a root certificate (3):
Enter a name and description and you are good to go:
Now we need to create Session and Access polices. Session polices are meant to control browser access while Access policies cover mobile and desktop apps. I create one policy for each scenario:
Let’s have a look at the session policy. I kept it quite simple (if certificate is not present -> block file download), however, you can get more granular. The check for the certificate is done by the device tag filter as you can see at the bottom of the left screenshot:
The access policy is even shorter:
NoteYou must select “Mobile and desktop” as a client app here, otherwise the access policy will also cover browser sessions. This might be the required behavior, however, if you want to allow browser access in read-only mode with blocked downloads this would be a problem.
As I said, I kept it simple. You can, however, also filter for:
- Cloud app
- Client app
- Device (Type / Tag)
- IP address (Raw IP / Category / Tag)
- Registered ISP
- User (Name / From group)
- User agent string
- User agent tag
In the browser-based session policies you can also specify file filters…
- File name
- File Size
- Sensitivity label
… and an inspection method:
- Built-in DLP
- Data Classification Service
- Malware detection
This can be applied to uploads and downloads.
You can also restrict certain actions inside the browser session:
- Cut/Copy item
- Paste item
- Sent item
The user experience
Adele will now try to authenticate to the Outlook desktop client.
Unfortunately, the certificate is not present on her machine which MCAS will detect.
Luckily, adding the certificate to her user store will mitigate the issue. The client certificate must have been issued by the CA we uploaded earlier. For this test I just did a manual import but using a centralized distribution is also possible of course.
Unlike Conditional Access, MCAS reacts to changes near real-time. So after the certificate is imported (or deployed) it works right away on the next try.
Important aspects about Conditional Access and certificates
- The client certificate must be located in the user store.
- Microsoft say Cloud App Security uses Azure Data Centers around the globe, so user session could be hosted outside of the tenants region. I am not allowed to give compliance advice, so please read for yourself: Protect with Microsoft Cloud App Security Conditional Access App Control | Microsoft Docs
- MCAS session controls use TLS 1.2 or later. This is the default for Azure AD also starting June 30th 2021, so it shouldn’t be a problem.
- If you want to use session control and not just block access, the cloud app must support this. Most Microsoft 365 apps are in scope, for others have a look at this guide: Deploy Cloud App Security Conditional Access App Control for any apps | Microsoft Docs
I hope I could give you a quick introduction on how to implement Conditional Access using certificates. Thanks for reading!
NotePlease note that all content on this blog is provided ‘as is’ without any warranty.