Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure AD Conditional access based on Meraki SM profile

Solved
MSakr
Getting noticed
a week ago
a week ago

Azure AD Conditional access based on Meraki SM profile

Hi All

Did anyone manage to enforce conditional access in Azure AD based on a systems manager enrolled profile? without using intune in the backend..

We need to ensure that only enrolled personal iOS devices can login to M365, non SM enrolled devices should not be able to login..

 

Thanks

Labels:
0 Kudos
Subscribe
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I don't know the answer.

 

If only the personal iOS devices have a certificate deployed, you might be able to enable certificate-based authentication in O365.

 

Typically I would solve something like this using Cisco Duo and the trusted endpoints feature.

https://duo.com/docs/trusted-endpoints

 

A less strong method would be to buy Cisco Umbrella SIG, run all of those machines traffic cthrough Umbrella, and create a conditional access policy to match the ranges that the IP traffic is coming from.

https://support.umbrella.com/hc/en-us/articles/360059292052-Additional-Egress-IP-Address-Range 

 

Another option would be to make the devices use a full tunnel back to a Meraki MX - so all of theitr traffic appears to come from one IP - and match on that IP address in conditional access.

View solution in original post

0 Kudos
Subscribe
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I don't know the answer.

 

If only the personal iOS devices have a certificate deployed, you might be able to enable certificate-based authentication in O365.

 

Typically I would solve something like this using Cisco Duo and the trusted endpoints feature.

https://duo.com/docs/trusted-endpoints

 

A less strong method would be to buy Cisco Umbrella SIG, run all of those machines traffic cthrough Umbrella, and create a conditional access policy to match the ranges that the IP traffic is coming from.

https://support.umbrella.com/hc/en-us/articles/360059292052-Additional-Egress-IP-Address-Range 

 

Another option would be to make the devices use a full tunnel back to a Meraki MX - so all of theitr traffic appears to come from one IP - and match on that IP address in conditional access.

0 Kudos
Subscribe
In response to PhilipDAth
PaulF
Meraki Employee
Meraki Employee
Friday
Friday

Both of these are suitable solutions to not using conditional access. Duo Trusted Endpoints is the easiest to roll out

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.