How to restrict access of an endpoint to users on a specific device in Azure AD

Michael Cleverdon 21 Reputation points
2022-01-05T21:49:38.54+00:00

Hi! I've been looking around trying to see how I could go about setting up a conditional access policy for a specific endpoint of my web application but I haven't found anything to help solve my problem. My issue is that the web application is already set up with a SAML SSO system through the web.config file because it requires a user login in order to access the site. However, there's a section of the app that needs to be restricted to a single device, but I don't know exactly how to go about doing that.

My initial thought is to create a separate tenant for the Restricted Zone™ and somehow verify that the user is on the allowed device using a conditional access policy for that tenant. However, I don't know if that's even possible to have two separate SAML authentications for a single app, or if they would play nice together (my guess is probably not considering the cookies would have the same name). If someone could point me in the right direction of how to go about doing this, that would be very appreciated because I've spent too long Googling this issue to no avail. Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,451 questions
0 comments
Accepted answer
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2022-01-06T05:27:52.523+00:00

    @Michael Cleverdon Currently Azure AD conditional access only allow the Sharepoint Site to have have a granual controls per page. With other cloud apps that is not possible to have different control set with different pages.

    You might convert that Web app into 2 set of cloud apps that means different application ID and controls. That way you can target the restricted one to only a single device using Device filter option in Azure AD conditional access. Hope someone in community might have another way/idea.

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mr Sbaa 356 Reputation points
    2022-01-11T20:05:17.287+00:00

    That's not possible with the conditional access framework. However, you can give access based on trusted locations. For example, assign the device with a certain public IP and grant access based on trusted locations only. Might not be very ideal though.

    Most customers I see are using a conditional access policy which requires the device to be compliant and have a seperate compliance policy (f.e. require bitlocker) in place. I would suggest to configure something similar and not overcomplicate things.

    0 comments
  2. Michael Cleverdon 21 Reputation points
    2022-01-12T16:35:12.44+00:00

    I ended up going with a firewall based restriction policy since this is an internal application. The firewall will block all traffic to the specified endpoint unless it's coming from one specific device, in which case it will allow it through. This isn't the best solution, but Azure AD doesn't have this fine of granularity for access control built in yet, so this is the only solution as far as I can tell without separating this one endpoint into a completely new application

    0 comments