Update conditional access policies to work with split tunnel VPN for M365 products

Question

Update conditional access policies to work with split tunnel VPN for M365 products

Keith Andrews 46

We have existing access polices in place that prevent certain users from accessing M365 products when not connected to our company's network, either by office, or VPN. We would like to turn split-tunneling on for FortiClient VPN so we can balance the bandwidth usage when accessing Teams, and other M365 products.

Currently this will not work with the existing conditional access policy due to the fact that the public IP of the user's home internet is not known, or trusted. Is there a way to create a policy that will allow us to maintain the existing security controls for M365 products, but allow split-tunneling to work when connected over VPN.

I should mention that we do not have all of our devices in Intune yet. I believe this is one way to filter the conditional access policy so that company devices are excluded from the policy. If there is another way, please let me know!

Thanks!

Keith

2 answers

Your answer

Answer 1

Konstantinos Passadis 19,496 MVP

Hello @keith andrews !

First i have to say that Intune is mandatory as for the Management and Control and Defender also !

BUT

If you have not yet onboarded then this may help :

Using Microsoft Defender for Cloud APPS (Cloud APP Security ) , there is an option to identify trusted devices via Certificate :

User's image

You can then create Access and or Session Policies for your Apps , but you must also onboard these apps to Cloud APP Security , so the Conditional Access Policy can understand it

The control is either Block or Monitor and you can play along with Session or Access Policy !

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

User's image

Here are some links :

https://cybergeeks.cloud/2022/07/defender-for-cloud-apps-client-certificate-auth/

https://sc.scomurr.com/mcas-device-identity-via-certificates-and-progressive-web-apps/

https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad#managed-device-identification

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Keith Andrews 46 Reputation points

2023-09-05T20:07:59.92+00:00

Thank you for your reply. Will this approach still prevent a non-manager user from accessing M365 resources when not connected via VPN, or when they are not on an office network? I guess the best way to explain this is we don't want certain users to have access to apps like Outlook and Teams when they are not on-premises, or when they are not connected via VPN, but we want to be able to use split-tunneling through the VPN, which would send M365 traffic out their gateway (residential IP), and not through the VPN tunnel (company IP).

I don't know if this would be possible due to the fact that there wouldn't be any way for Microsoft to determine if the traffic coming from the residential IP can be trusted, or not, and even if it trusted the device, we wouldn't want to grant access unless they were on VPN. It's almost like we'd need a condition to be applied. If the VPN state is on, then allow access to M365 products. If not, then deny access. I don't see how that would work with split-tunneling, unless somehow there was a way to setup the device with some sort of integration between the VPN and Microsoft.

Answer 2

Konstantinos Passadis 19,496 MVP

Hello @keith andrews !

I understand the scenario

The Cloud App Security has the ability to add multiple filters so a condition is built

If the device is not Certificate Trusted ( you must deploy the Certificate ) and the user belongs to a certain Group Access can be blocked !

I think you should try the feature as a Demo to see if it fits !

There is also the Preview

https://learn.microsoft.com/en-us/azure/global-secure-access/how-to-get-started-with-global-secure-access#microsoft-entra-private-access

https://learn.microsoft.com/en-us/azure/global-secure-access/how-to-target-resource-private-access-apps

Called Private Access , it is not tested by me , but maybe this also provides the control you need , given that no Intune is in place !

In all cases a trial is a must starting with Defender for Cloud Apps which is many years in place .

The Global Secure Access is a new feature , it seems promising , and it fits similar cases!

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Keith Andrews 46 Reputation points

2023-09-11T15:33:56.7633333+00:00

Hello!

Thanks again for taking the time to respond. It sounds like the solution we will need to employ for the time being is to simply create a new "Named location" in Azure, make that location trusted, and add each public IP for the user's home to the list. This way we are able to continue to use the conditional access policy, but also gain the benefit of split tunneling back to Microsoft for apps like Outlook and Teams.

Thanks again!

Keith
Konstantinos Passadis 19,496 Reputation points MVP

2023-09-11T21:58:43.05+00:00

Hello @keith andrews !

Thats great i am glad you found a solution !

In case any answer helped consider marking it as Accepted !

Regards!

Share via

Update conditional access policies to work with split tunnel VPN for M365 products

2 answers

Your answer