Manual Chapter : Configuring Azure Conditional Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3
Manual Chapter

Configuring Azure Conditional Access

Configuring BIG-IP client certificate inspection

To configure BIG-IP client certificate inspection:
  1. Sign in to the Azure portal.
  2. In Azure active directory, click
    Conditional access
    VPN connectivity
    .
  3. Create a new certificate with:
    • Validity:
      One year
    • Primary:
      Yes
  4. Import the certificate onto the BIG-IP system.
  5. Navigate to
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    . Click
    Import
    to import certificate.
  6. Navigate to
    BIG-IP System manager
    Local traffic
    Profiles
    SSL
    Client
    .
  7. Choose the certificate for
    Trusted Certificate Authorities
    , and enable
    request
    for
    Client Certificate
    .
    Client certificate enabled in client SSL profile
    Client certificate enabled in client SSL profile
  8. Add Client Certificate Inspection to your current VPN APM Access Policy.
    Example of a client certificate inspection in access policy
    Client certificate inspection in access policy

Configuring Azure AD conditional access policy

To configure your conditional access policy:
  1. Sign in to the Azure portal.
  2. In Azure active directory, in the
    Manage
    section, click
    Conditional access
    Add
    .
  3. In the example here, we want make sure that all VPN connections from "VPN Users" group are controlled. Create a new policy with the following selections:
    • Name:
      Type
      VPN CA Policy
    • Users and Groups:
      VPN Users
    • Cloud Apps:
      VPN Server
    • Conditions:
      No conditions
    • Grant:
      Select
      Grant access
      and then select
      Require device to be marked as compliant
      . You can also use
      Require multi-factor authentication
      or
      Require domain joined (Hybrid Azure AD)
      options.
    • Session:
      No session
    Conditional access policy settings
    Conditional access policy settings
  4. Enable the new policy in
    Azure active directory
    Conditional access
    .
    Policy enabled in conditional access
    Policy enabled in conditional access

Marking the device as compliant in Azure AD

You can deploy compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all of the user's devices are checked for compliance. If a device doesn't have a compliance policy assigned, then this device is considered not compliant. To become a managed device, a device must be a
device that has been marked as compliant
. To mark the device as compliant in Azure AD:
  1. Sign in to the Azure portal.
  2. Click
    Device compliance
    Policies
    Create Policy
    .
  3. Create a new compliance policy without configuring any settings.
  4. Assign this policy to VPN users group.
    Example of a device compliance policy
    Device compliance policy

Adding conditional access to VPN profile

To add a conditional access to VPN profile using Intune:
  1. Sign in to the Azure portal.
  2. Create a new VPN profile for Windows 10. Follow the steps similar to creating a base VPN profile. Enable the
    Enable conditional access for this VPN connection
    to ensure that devices that connect to the VPN are tested for conditional access compliance before connecting.
    Conditional access enabled for VPN connection
    Conditional access enabled for VPN connection

Configuring custom XML in profile using Intune

F5 Access for Windows Desktop supports the following three authentication flows:
  • Username
  • Certificate only (no prompt for credentials)
  • Username & certificate
These authentication flows can be configured through custom XML commands. You can enter Custom XML commands that configure the VPN connection in F5 Access profile using Intune.
The following example shows how a certificate is configured using custom XML.
<f5-vpn-conf> <prompt-for-credentials>false</prompt-for-credentials> <client-certificate> <issuer>Microsoft VPN root CA gen 1</issuer> </client-certificate> </f5-vpn-conf>
Example of a custom XML command
Example of a custom XML command

Accessing certificates

To access pre-defined certificates:
  1. Follow the below steps to connect to VPN:
    1. On the Windows 10 device, navigate to
      Settings
      Sync
      .
    2. Wait for the new VPN to be installed. Connect to VPN.
      VPN connected screen
      VPN connected screen
  2. On successful VPN connection, run the
    Certmgr.msc
    command in cmd prompt or PowerShell window.
    This will launch the Current User certificate MSC.
  3. Navigate to
    Certificates - Current User
    Personal
    Certificates
    . You should see a newly provisioned certificate issued by "Microsoft VPN root CA gen 1".
    Current User certificate MSC
    Current User certificate MSC
    Certificate's expiry date will be 60 minutes from when it was last requested.
    Certificate's expiry date
    Certificate's expiry date