Manual Chapter : Configuring Azure Conditional Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.3, 11.6.3, 11.5.7
Manual Chapter

Configuring Azure Conditional Access

Configuring BIG-IP client certificate inspection

To configure BIG-IP client certificate inspection:

  1. Sign in to the Azure portal.
  2. In Azure active directory, click Conditional access > VPN connectivity .
  3. Create a new certificate with:
    • Validity: One year
    • Primary: Yes
  4. Import the certificate onto the BIG-IP system.
  5. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List . Click Import to import certificate.
  6. Navigate to BIG-IP System manager > Local traffic > Profiles > SSL > Client .
  7. Choose the certificate for Trusted Certificate Authorities, and enable request for Client Certificate.
    Client certificate enabled in client SSL profile

    Client certificate enabled in client SSL profile

  8. Add Client Certificate Inspection to your current VPN APM Access Policy.
    Client certificate inspection in access policy

    Example of a client certificate inspection in access policy

Configuring Azure AD conditional access policy

To configure your conditional access policy:

  1. Sign in to the Azure portal.
  2. In Azure active directory, in the Manage section, click Conditional access > Add .
  3. In the example here, we want make sure that all VPN connections from "VPN Users" group are controlled. Create a new policy with the following selections:
    • Name: Type VPN CA Policy
    • Users and Groups: VPN Users
    • Cloud Apps: VPN Server
    • Conditions: No conditions
    • Grant: Select Grant access and then select Require device to be marked as compliant. You can also use Require multi-factor authentication or Require domain joined (Hybrid Azure AD) options.
    • Session: No session
    Conditional access policy settings

    Conditional access policy settings

  4. Enable the new policy in Azure active directory > Conditional access .
    Policy enabled in conditional access

    Policy enabled in conditional access

Marking the device as compliant in Azure AD

You can deploy compliance policy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all of the user's devices are checked for compliance. If a device doesn't have a compliance policy assigned, then this device is considered not compliant. To become a managed device, a device must be a device that has been marked as compliant. To mark the device as compliant in Azure AD:

  1. Sign in to the Azure portal.
  2. Click Device compliance > Policies > Create Policy .
  3. Create a new compliance policy without configuring any settings.
  4. Assign this policy to VPN users group.
    Device compliance policy

    Example of a device compliance policy

Adding conditional access to VPN profile

To add a conditional access to VPN profile using Intune:

  1. Sign in to the Azure portal.
  2. Create a new VPN profile for Windows 10. Follow the steps similar to creating a base VPN profile. Enable the Enable conditional access for this VPN connection to ensure that devices that connect to the VPN are tested for conditional access compliance before connecting.
    Conditional access enabled for VPN connection

    Conditional access enabled for VPN connection

Configuring custom XML in profile using Intune

F5 Access for Windows Desktop supports the following three authentication flows:

  • Username
  • Certificate only (no prompt for credentials)
  • Username & certificate

These authentication flows can be configured through custom XML commands. You can enter Custom XML commands that configure the VPN connection in F5 Access profile using Intune.

The following example shows how a certificate is configured using custom XML.

<f5-vpn-conf>
<prompt-for-credentials>false</prompt-for-credentials>
<client-certificate>
<issuer>Microsoft VPN root CA gen 1</issuer>
</client-certificate>
</f5-vpn-conf>
Example of a custom XML command

Example of a custom XML command

Refer to Configuration Notes: F5 Access for Microsoft Windows 10 and Windows 10 Mobile for more information.

Accessing certificates

To access pre-defined certificates:

  1. Follow the below steps to connect to VPN:
    1. On the Windows 10 device, navigate to Settings > Sync .
    2. Wait for the new VPN to be installed. Connect to VPN.
      VPN connected screen

      VPN connected screen

  2. On successful VPN connection, run the Certmgr.msc command in cmd prompt or PowerShell window.
    This will launch the Current User certificate MSC.
  3. Navigate to Certificates - Current User > Personal > Certificates . You should see a newly provisioned certificate issued by "Microsoft VPN root CA gen 1".
    Current User certificate MSC

    Current User certificate MSC

    Certificate's expiry date will be 60 minutes from when it was last requested.
    Certificate's expiry date

    Certificate's expiry date