Meraki

Community

Azure AD Conditional access based on Meraki SM profile

Solved
MSakr
Getting noticed
‎Aug 6 2024 12:12 PM
‎Aug 6 2024 12:12 PM

Azure AD Conditional access based on Meraki SM profile

Hi All

Did anyone manage to enforce conditional access in Azure AD based on a systems manager enrolled profile? without using intune in the backend..

We need to ensure that only enrolled personal iOS devices can login to M365, non SM enrolled devices should not be able to login..

 

Thanks

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 7 2024 2:29 AM
‎Aug 7 2024 2:29 AM

I don't know the answer.

 

If only the personal iOS devices have a certificate deployed, you might be able to enable certificate-based authentication in O365.

 

Typically I would solve something like this using Cisco Duo and the trusted endpoints feature.

https://duo.com/docs/trusted-endpoints

 

A less strong method would be to buy Cisco Umbrella SIG, run all of those machines traffic cthrough Umbrella, and create a conditional access policy to match the ranges that the IP traffic is coming from.

https://support.umbrella.com/hc/en-us/articles/360059292052-Additional-Egress-IP-Address-Range 

 

Another option would be to make the devices use a full tunnel back to a Meraki MX - so all of theitr traffic appears to come from one IP - and match on that IP address in conditional access.

View solution in original post

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 7 2024 2:29 AM
‎Aug 7 2024 2:29 AM

I don't know the answer.

 

If only the personal iOS devices have a certificate deployed, you might be able to enable certificate-based authentication in O365.

 

Typically I would solve something like this using Cisco Duo and the trusted endpoints feature.

https://duo.com/docs/trusted-endpoints

 

A less strong method would be to buy Cisco Umbrella SIG, run all of those machines traffic cthrough Umbrella, and create a conditional access policy to match the ranges that the IP traffic is coming from.

https://support.umbrella.com/hc/en-us/articles/360059292052-Additional-Egress-IP-Address-Range 

 

Another option would be to make the devices use a full tunnel back to a Meraki MX - so all of theitr traffic appears to come from one IP - and match on that IP address in conditional access.

0 Kudos
In response to PhilipDAth
PaulF
Meraki Employee
Meraki Employee
‎Aug 9 2024 3:33 AM
‎Aug 9 2024 3:33 AM

Both of these are suitable solutions to not using conditional access. Duo Trusted Endpoints is the easiest to roll out

MSakr
Getting noticed
‎Aug 16 2024 6:56 AM
‎Aug 16 2024 6:56 AM

Hi

 

I thought the poster accepts answers and not Meraki staff 🙂 

Sad that you don;t integrate with intune.. this is a major drawback for us.. not being able to apply conditional access policies based on the compliance of Meraki SM, will force us to have 2 systems.. frankly speaking.. we don;t see the value of Systems manager against intune or jamf in that scenario.. I will need to pull your partners pre sales to help here further

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.