How to Enforce Conditional Access using SCEP

By Rob Nellist

Learn how to configure Microsoft Conditional Access App Control policies with Microsoft Defender for Cloud Apps (MDCA) using SCEP

Article Contents 


  • Azure AD (P1 or P2) subscription plan with Conditional Access included. See here for Azure AD licensing information.

  • Licensing for Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). See here for Microsoft Defender for Cloud Apps licensing information.

  • For the configuration of Azure AD and Microsoft Defender for Cloud Apps, an account with the Global Administrator role or Security Administrator role will be needed.

  • Trusted Root and Intermediate certificates (PEM file).

  • Managed PKI solution.

Configure SCEP

The SCEP Library Item can be used with a Managed PKI solution such as Symantec Managed PKI, GlobalSign Managed PKI, or SecureW2 for certificate distribution.

  1. Configure and deploy a SCEP profile using the SCEP Library Item. For instructions, please refer to the SCEP Profile support article.

Deploy Root and Intermediate Certificates

  1. Deploy the Root and Intermediate certificates that will be issuing the device certificates. For instructions, please refer to the Certificate Profile support article.

Create a Conditional Access Policy

  1. Click here to go to the Conditional Access blade (you will be prompted to sign in if not already signed in) in Azure AD.

  2. At the top of the Conditional Access blade, Click + New policy.

  3. In the Name field, enter a name for the Conditional Access policy, such as Kandji Conditional Access.

  4. In the Assignments section, under Users or workload identities, select 0 users or workload identities selected.

  5. While testing and validating configurations and workflows, it is recommended to assign this policy to test user accounts before assigning it to production users. To do so, select the Select users and groups radio button.

  6. Select the Users and groups checkbox.
  7. Navigate to the upper right corner of the screen and search for the user accounts or groups to which you want to apply the policy.
  8. Select the identified user accounts or groups.
  9. Click on Select to save the configuration.

  10. In the Assignments section, under Cloud apps or actions, select No cloud apps, actions, or authentication contexts selected.

  11. Select the All cloud apps radio button. Alternatively, you can select the Select apps radio button to narrow the scope to specific apps.

  12. In the Access controls section, under Session, select 0 controls selected.

  13. Select Use Conditional Access App Control.

  14. On the dropdown menu, under the Use Conditional Access App Control section, select Block downloads (Preview). We will return to this setting later; the Block downloads (Preview) option is required initially to onboard and add the scoped apps in the MDCA portal.

  15. Click Select on the bottom right to save Session settings.

  16. On the bottom left of the page, under the Enable policy section, select On to turn on the policy.
  17. Click Create to save the policy.

Add the Scoped Cloud Apps to MDCA

MDCA uses Session Control, so to add the scoped apps to the MDCA portal, you will need to access each scoped cloud app with a test user account at least once, preferably in a private window if using Safari. We will be adding the Office 365 app in the following steps. You can repeat this process for other apps you wish to add to the MDCA portal.

  1. On another device or in a private window, navigate to and sign in with a scoped test user account.
  2. To confirm the cloud app was added to MDCA, navigate to and sign with an administrative account or an account with the Security role assigned to it.

  3. On the top right corner of the page, click the Settings gear icon.

  4. Under the Sources section, click Conditional Access App Control.

  5. You should see Office Portal - General listed as a Connected app. If it is not, review your steps in the previous section.

  6. Click here to navigate back to the Conditional Access blade and select the Conditional Access policy created earlier.
  7. In the Access controls section, under Session, select Use Conditional Access App Control.
  8. Change the Conditional Access App Control setting from Block downloads (Preview) to Use Custom Policy.
  9. Click Select.
  10. Click Save to save changes.

Add your Root and Intermediate Certificates to MDCA

  1. On the top right corner of the page, click the Settings gear icon.

  2. Under the System section, click Settings.

  3. Scroll to the bottom of the page. Under the Conditional Access App Control section, click Device identification.

  4. Under the Client certificate based identification section, click + Add a root certificate and follow the prompts to add your Root certificate. Repeat this process to add your Intermediate certificate.

  5. Select the Require certificate revocation check checkbox.

  6. Click Save.

To convert a DER file (.crt .cer .der) to PEM use the following command in Terminal: 

openssl x509 -inform der -in certificate.cer -out certificate.pem

Create an Access Policy in MDCA

  1. In the MDCA portal on the left-hand side navigation bar, expand the Control menu item.

  2. Click Policies.

  3. Click + Create policy.

  4. Click Access policy.

  5. In the name field, enter a name for the Access policy, such as Block untrusted devices.

  6. Under the Activities matching all of the following section, add the following filters to block untrusted devices from accessing O365 via browsers and mobile/desktop apps:

    1. Device Tag does not equal Valid client certificate

    2. App equals Office 365 (or other scoped app)

    3. Client app equals Browser, Mobile and Desktop

  7. Under the Actions section, select the Block radio button.

  8. Select the Customize block message checkbox to enter a customized message that should be displayed to end users trying to access O365 from untrusted devices.

  9. Click Create to save the Access policy.

End User Experience

Trusted Devices

End users accessing Microsoft resources on a trusted device will be prompted to select the certificate to present to Microsoft. Sample prompt when using Safari:

Untrusted Devices

End users trying to access Microsoft resources on untrusted devices will receive the following block message.