Microsoft Entra - Enterprise Application - Conditional Access - non intuitive error message

jce 20 Reputation points
2023-12-29T09:05:48.99+00:00

Hello,

I've tried to setup Enterprise Application for SAML authentication (Azure AD) for Cisco AnyConnect users.

Everything is working fine. Users are able to authenticate without any problem.

Then I saw that there is option for conditional access and option to allow only Intune compliant devices to make vpn connection with SAML authentication. I've enable this, and I was surprised "it works". But solution is not complete because when non-compliant devices try to make SAML authentication users have a very confusing message, user is asked to signin via Edge browser...

I've tried to find if there is any solution for custom this message (see attached image)

User's image

On some places I've found that there is maybe options to do it via Microsoft Defender (admin center) and Access/Session policy, but I am not able to add created SAML Application Cisco AnyConnect to the list of applications and because of that there is no option to create custom application in Microsoft Defender.

I've tried to make something like this to customize message on the image, but just for SAML Conditional Access for Intune non-compliant devices:

https://www.satisnet.co.uk/post/custom-policies-in-microsoft-cloud-app-security-mcas

Any suggestion?

Any possibility to customize the message on the image?

Thanks

JC

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,570 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,289 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 152.3K Reputation points MVP
    2023-12-29T13:24:45.96+00:00

    You wont be able to customize that message.

    If you add the app in Defender Cloud Apps as you mentioned, you can create a custom message.

    To onboard the app in Cloud App Security, you can add via the URL once it hits the Cloud App security reverse proxy if you you are unable to find the app listed, add it manually :

    https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-any-app#how-to-manually-add-an-unidentified-app

    User's image

    The complete steps:

    https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-any-app


1 additional answer

Sort by: Most helpful
  1. jce 20 Reputation points
    2024-01-10T13:11:42.6466667+00:00

    In general, that is the right way to add an application.

    Thanks.

    But I am still confused with different message (new one). It is right for me to have this message for non compliant computers.

    But it will be nice if administrator have option to custom this message.

    I am trying to do it via Defender but without success.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.