Conditional Access – device identification using certificates

Conditional Access is great. However, when it comes to managed devices it only allows to check for Hybrid Azure AD join and Intune compliance. With Microsoft Cloud App Security (MCAS), we can also require a certificate to be present on the client to get access. In this post I’ll show you how to do that. So yes, Conditional Access using certificates is possible although we need help from Microsoft CASB solution.

What we will do in short: a Conditional Access policy will redirect our demo user Adele to be in scope of MCAS’ Conditional Access App Control. This will allow us to configure Session and Access policies in MCAS that are able to check for the client certificate.

Preparing Conditional Access to use certificates

The preparations on the Conditional Access side are quite simple. All we have to do is make sure that users are redirected to MCAS’ Conditional Access App Control with the “Use custom policy…” option.

That’s all I configured for Adele here. For all of her session she will be in scope of MCAS.

If you only want to have certain session in MCAS you can achieve this by defining other Conditional Access conditions like the device platform, location, or device filters.

Preparing Microsoft Cloud App Security

First, we need to add the root or intermediate CA to MCAS using the PEM format. Of course, the public key must be present in the file. You can upload it in Settings (1) > Device identification (2) > Add a root certificate (3):

Enter a name and description and you are good to go:

Now we need to create Session and Access polices. Session polices are meant to control browser access while Access policies cover mobile and desktop apps. I create one policy for each scenario:

Let’s have a look at the session policy. I kept it quite simple (if certificate is not present -> block file download), however, you can get more granular. The check for the certificate is done by the device tag filter as you can see at the bottom of the left screenshot:

The access policy is even shorter:

Note

You must select “Mobile and desktop” as a client app here, otherwise the access policy will also cover browser sessions. This might be the required behavior, however, if you want to allow browser access in read-only mode with blocked downloads this would be a problem.

As I said, I kept it simple. You can, however, also filter for:

  • Cloud app
  • Client app
  • Device (Type / Tag)
  • IP address (Raw IP / Category / Tag)
  • Location
  • Registered ISP
  • User (Name / From group)
  • User agent string
  • User agent tag

In the browser-based session policies you can also specify file filters…

  • Extension
  • File name
  • File Size
  • Sensitivity label

… and an inspection method:

  • Built-in DLP
  • Data Classification Service
  • Malware detection

This can be applied to uploads and downloads.

You can also restrict certain actions inside the browser session:

  • Cut/Copy item
  • Paste item
  • Print
  • Sent item

The user experience

Adele will now try to authenticate to the Outlook desktop client.

Unfortunately, the certificate is not present on her machine which MCAS will detect.

Luckily, adding the certificate to her user store will mitigate the issue. The client certificate must have been issued by the CA we uploaded earlier. For this test I just did a manual import but using a centralized distribution is also possible of course.

Unlike Conditional Access, MCAS reacts to changes near real-time. So after the certificate is imported (or deployed) it works right away on the next try.

Important aspects about Conditional Access and certificates

I hope I could give you a quick introduction on how to implement Conditional Access using certificates. Thanks for reading!

Chris

Click here for more great blogs.

About the Author:

Hello there! My name is Christian Müller.

I am working as an Enterprise Security Consultant at German Microsoft partner infoWAN Datenkommunikation GmbH.

In this private blog, I talk about security topics in the Microsoft 365 world, including Active Directory security, Windows client and server security, and – of course – the various features of the Microsoft cloud. While I mainly focus on the latter, I still enjoy working with hybrid infrastructures.

Please note that all content on this blog is provided ‘as is’ without any warranty. This blog has no affiliation with my employer.

You can also find me here:

Twitter: https://twitter.com/chrisonsecurity

LinkedIn: https://www.linkedin.com/in/christian-h-mueller/

Reference:

Müller, C. (2021). Conditional Access – device identification using certificates. Available at: https://chrisonsecurity.net/2021/06/24/conditional-access-using-certificates/ [Accessed: 29th July 2021].

Share this on...

Rate this Post:

Share: