Share via

Cisco AnyConnect + Azure AD Conditional Access Policies

EH 21 Reputation points
2021-08-05T19:05:41.587+00:00

When using Azure AD as the identity provider for Cisco AnyConnect VPN connections, do conditional access policies evaluate the source of the authentication (IP address/geography) as the ASA, or the IP address/geography of the user attempting to authenticate?

For example..
In a scenario where a user's public IP address is 1.1.1.1, and the ASA's public IP address is 2.2.2.2, if a conditional access policy is set to only permit connection attempts from 1.1.1.1, will the user be able to successfully connect, or would the IP address 2.2.2.2 need to be the one which is whitelisted (or both IP addresses)?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2021-08-06T04:31:51.403+00:00

    Hi @EH • Thank you for reaching out.

    When you configure Azure AD as the identity provider for Cisco AnyConnect VPN connections, users who are attempting to connect will get redirected (http 302) to Azure AD Auth endpoint and a connection from user's device is directly established to Azure AD. Which means Azure AD will always receive users' IP address and not the address of Cisco AnyConnect. So, in this case, the conditions in CA policies will be evaluated on the basis of users' public IP addresses.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.