How to Enforce Conditional Access using SCEP

Learn how to configure Microsoft Conditional Access App Control policies with Microsoft Defender for Cloud Apps (MDCA) using SCEP

While this method of enforcing conditional access remains effective, using Microsoft Device Compliance (MSDC) is now the recommended approach for ensuring device compliance. Please see our MSDC configuration support articles for more information.

• Prerequisites
• Configure SCEP
• Deploy Root and Intermediate Certificates
• Create a Conditional Access Policy
• Add the Scoped Cloud Apps to MDCA
• Add your Root and Intermediate Certificates to MDCA
• Create an Access Policy in MDCA
• End User Experience

Prerequisites

• Microsoft Entra ID (formerly Azure AD) (P1 or P2) subscription plan with Conditional Access included. See here for Microsoft Entra ID licensing information.

• Licensing for Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). See here for Microsoft Defender for Cloud Apps licensing information.

• For the configuration of Microsoft Entra ID and Microsoft Defender for Cloud Apps, an account with the Global Administrator role or Security Administrator role will be needed.

• Trusted Root and Intermediate certificates (PEM file).

• Managed PKI solution.

When using HTTP or DNS filtering, Microsoft's IP addresses will need to be added to the allow list. The IP addresses can be obtained from this Microsoft article.

Configure SCEP

The SCEP Library Item can be used with a Managed PKI solution such as Symantec Managed PKI, GlobalSign Managed PKI, Microsoft Entra application proxy with NDES, or SecureW2 for certificate distribution.

1. Configure and deploy a SCEP profile using the SCEP Library Item. For instructions, please refer to the SCEP Profile support article.

Deploy Root and Intermediate Certificates

1. Deploy the Root and Intermediate certificates that will be issuing the device certificates. For instructions, please refer to the Certificate Profile support article.

Create a Conditional Access Policy

1. Click here to go to the Conditional Access blade (you will be prompted to sign in if not already signed in) in Microsoft Entra ID (formerly Azure AD).

2. At the top of the Conditional Access blade, click + Create new policy.
   

3. In the Name field, enter a name for the Conditional Access policy, such as Kandji Conditional Access.

4. In the Assignments section, under Users, click on 0 users and groups selected.
   

5. While testing and validating configurations and workflows, it is recommended to assign this policy to test user accounts before assigning it to production users. To do so, select the Select users and groups radio button.

6. Select the Users and groups checkbox.
7. Navigate to the upper right corner of the screen and search for the user accounts or groups to which you want to apply the policy.
8. Select the identified user accounts or groups.
9. To save the configuration, click on Select.
   

10. In the Assignments section, under Target resources, click on the No target resources selected link.
    

11. Select the All cloud apps radio button. Alternatively, you can select the Select apps radio button to narrow the scope to specific apps.
    

12. In the Access controls section, under Session, click on 0 controls selected.

13. Select Use Conditional Access App Control.

14. Under the Use Conditional Access App Control section, select Block downloads (Preview) from the dropdown menu. We will return to this setting later; the Block downloads (Preview) option is required initially to onboard and add the scoped apps in the Microsoft Defender portal.

15. To save the configuration, click Select.
    

16. Under the Enable policy section, switch the policy to On. If prompted, go through the steps to disable Microsoft security defaults.
17. Click Create to save the policy.
    

Add the Scoped Cloud Apps to MDCA

Microsoft Defender for Cloud Apps (MDCA) uses Session Control, so to add the scoped apps to the Microsoft Defender portal, you will need to access each scoped cloud app with a test user account at least once, preferably in a private window session (⇧-⌘-N) if using Safari. We will be adding the Office 365 app in the following steps. The same process can be used to add additional apps to the Microsoft Defender portal.

1. On another device or in a private window, navigate to portal.office.com and sign in with a scoped test user account.

2. To confirm the cloud app was added to MDCA, navigate to security.microsoft.com and sign in with an administrative account or an account with the Security role assigned to it.

3. In the bottom left corner of the page, click the Settings gear icon.  

4. On the settings page, click Cloud Apps.
   

5. Under Connected apps > Click Conditional Access App Control apps

6. You should see Office Portal - General listed as a Connected app. If it is not, review your steps in the previous section. It may take a bit for the Office Portal to show a connected status. Check back later to see if the status gets updated.
   

7. Click here to navigate back to the Conditional Access blade and select the Conditional Access policy created earlier.

8. Under Access controls > Session, click Use Conditional Access App Control.
9. Change the Conditional Access App Control setting from Block downloads (Preview) to Use Custom Policy.
10. Click Select.
11. Click Save.
    

Add your Root and Intermediate Certificates to MDCA

1. Navigate back to security.microsoft.com, and in the bottom left corner of the page, click the Settings gear icon.

2. On the settings page, click Cloud Apps.
   

3. Scroll to the bottom of the page. Under the Conditional Access App Control section, click Device identification.
   

4. Under the Client certificate based identification section, click + Add a root certificate and follow the prompts to add your Root certificate. Repeat this process to add your Intermediate certificate.
   

5. Select the Require certificate revocation check checkbox.

6. Click Save.
   

openssl x509 -in certificate.cer -outform pem -out certificate.pem

Create an Access Policy in MDCA

1. In the Microsoft Defender portal, in the Cloud apps section on the left-hand side navigation bar, click Policies > Policy Management.

2. Click + Create policy.

3. Click Access policy.
   

4. In the name field, enter a name for the Access policy, such as Block untrusted devices.

5. Under the Activities matching all of the following section, add the following filters to block untrusted devices from accessing O365 via browsers and mobile/desktop apps:

   1. Device Tag does not equal Valid client certificate

   2. App equals Office Portal (or other scoped app)

   3. Client app equals Browser, Mobile and Desktop
      

6. Under the Actions section, select the Block radio button.

7. Select the Customize block message checkbox to enter a customized message that should be displayed to end users trying to access Microsoft 365 from untrusted devices.

8. Click Create to save the Access policy.
   

End User Experience

Trusted Devices

End users accessing Microsoft resources on a trusted device will be prompted to select the certificate to present to Microsoft. Sample prompt when using Safari:

Untrusted Devices

End users trying to access Microsoft resources on untrusted devices will receive the following block message.