Azure device ID is not selected by AnyConnect on iPhone

Question

question

Advent965-9427 asked Feb 16, '22 vipulsparsh-MSFT commented Mar 2, '22

Azure device ID is not selected by AnyConnect on iPhone

Team, This is a Two years old problem as per the below link. Now I would like to check with you. is this issue fixed?, because we have the same problem in our organization.

https://social.msdn.microsoft.com/Forums/azure/en-US/a13a9d64-7409-410f-8b80-f9567bb6ae85/azure-ad-indentity-certificate-sharing-with-other-apps-in-iphone?forum=WindowsAzureAD

We are trying to connect the VPN (AnyConnect) from iPhone with SAML+2FA (Compliant devices only), but the Azure device id is not selected by AnyConnect. But the same link is working when we try to connect from the browser (safari) and it's clearly prompting us to choose the azure device id.

We have tried to push the profile with NAC (device id) selection, but still not working. We have raised technical tickets with Cisco & Microsoft as well, but both are saying it's not their issue and playing a ping pong game.

azure-active-directory mem-intune-device-configurations mem-intune-application-management

image.png (79.9 KiB)

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT · Feb 21 at 08:39 AM

@Advent965-9427 Thanks for reaching out and apologies for delay on this. Can you help us with the MS support case number, so that we can track further information. This will need more information from your environment like policy details and hopefully the complete setup, I am expecting to find it with that case so that I can help accordingly.

0 ·

Advent965-9427 · Feb 23 at 09:30 AM

Hi @vipulsparsh-MSFT, thank you for looking into this. Here is ticket number 29793110.

0 ·

Answer 1 · 2022-02-23T13:19:44.97Z

vipulsparsh-MSFT answered Feb 23, '22 vipulsparsh-MSFT commented Feb 23, '22

@Advent965-9427 Thanks for explaining your setup, I understand the situation now. In order for me to help you understand where the problem lies I will have to explain you how conditional access work in depth. So here we go :

1) When you enroll a device in Intune (MDM), we do Azure AD registration for that device in AAD and create a device object in AAD that you see in Azure AD Device portal. And at this time Azure AD signs a device certificate which is in name of the Device Public key and is stored in Devices Keychain in IOS.

2) We then pass on the device to Intune service where it follows the enrollment process and gets enrolled into Intune service and depending on the compliance policies created in Intune portal, it evaluates the device and store Device Compliance status - true or false in that Azure AD device Object.

3) When a user tries to sign into any application which is protected by conditional access for devices (compliant, hybrid etc) the Azure AD needs to be aware of the device the user is signing from. For this reason the client needs to send the AAD Device ID to the AAD during sign in so that AAD can do further checks.

4) Different operating system have different Client side brokers for accessing the device certificate from device store and present to the Azure AD. For examples browser will prompt a user to select a certificate as they cannot access the certificate directly under normal scenarios.

5) In your example on IOS, for cisco any connect app to succeed in conditional access, at some point of time it will need to pass that Device ID to Azure AD so that AAD can do further check. But since the Device certificate is stored in keychain where only broker app like MS authenticator can only have access, it is not able to do so. Also, it is the responsibility of the client app to talk to broker app to get the certificate. This process is coded in the client App when they are integrated with MSAL : https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps

If the native client like Cisco Any connect app is not coded to perform this step, this is going to fail anyway as there is no way it can get access to that device certificate on its own.
On Android the broker is Company portal App.

Your setup will work fine without conditional access on devices and just with user MFA but will fail if you are checking compliance.
There are many other apps which fail to do so and in that case the client company needs to update their app code to work with Device compliance part.

If CISCO confirms that they have already updated the code to talk to MS Authenticator App on IOS which they can do by following : https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps and if it still does not work, I will be happy to escalate the case for you.

Hope you understand where the problem is and trust us we also do not like to keep you hanging in between. Do let us know if you have any questions will be happy to discuss further with you on this.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT · Feb 23 at 09:52 AM

@Advent965-9427 Thanks for sharing the case details. From your screenshot, why does your Authentication method says username and password ? If you are using certificates to Authenticate shouldn't it be configured with certificates there. I am considering the screenshot that you provided is for a Intune VPN profile.

Also, if the device is MDM enrolled, are you using SCEP or PFX for the certificate ?
We can take this thread offline to discuss more about this. As I might need other info which are not in the case you mentioned.
Feel free to drop me an email at azcommunity@microsoft.com with subject "Atten- Vipul" and I will get back to you on this ?

0 ·

Advent965-9427 · Feb 23 at 12:09 PM

Hi @vipulsparsh-MSFT, You're correct the screenshot is from Intunes Profile. We are using SAML auth+2FA (Intune MDM). We are not using our internal/external certificates for MDM here.
We start using the Intunes MDM, and MDM itself gives certificates(Microsoft certificates) to our devices. So when the application tries to authenticate, it uses the MDM provided certificate.

Below is the process-
Step-1: User tries to connect the VPN.
Step-2: VPN forwards the authentication to the Azure (SAML)
Step-3: Azure gives the username & password page to fill.
Step-4: User gives the credentials.
Step-5: Azure verifies the 2FA (Intunes MDM) where the device is compliant.
Step-6: Authentication is successful.

But here the Step-5 is 2FA is not working due to the Azure device ID is missing while authenticating, which is a Certificate (provided by Intunes). We don't use any SCEP or PFX service manually, all the certificates are provided by Intunes in our scenario.

Hope you understand the issue now.

0 ·

Answer 2 · 2022-02-23T14:38:05.22Z

Advent965-9427 answered Feb 23, '22 vipulsparsh-MSFT commented Mar 2, '22

Thanks a lot for the detailed explanation & procedures. Actually, I have raised a TAC case as well and got the below answer from them. However, I will ask them about these broker app permissions and let you know the status.

image.png (111.2 KiB)

· 6

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT · Feb 23 at 04:27 PM

@Advent965-9427 They are talking about a complete different setup here. Where you will not setup conditional access from Azure Ad portal for compliance, You will enable NAC (as per your initial screenshot) where the Device compliance would be shared directly to CISCO service. In a way you would need to setup certificated based authentication from intune. Here are the things you might need to perform if you are going via this route :

1) Setup Certificate deployment to devices using Intune. (SCEP or PKCS)
2) Deploy VPN profile to devices which includes enabling NAC - This profile will use the certificate profile you use earlier (Step 1) - this is how the certificate will get available to client store as you tag both from portal.
3) Devices will get the certificate from Intune via your SCEP.
4) You will also need to deploy the CISCO any connect app via Intune.
5) When all things are done correctly - the device can then connect.

This setup is different and require you to setup your environment accordingly.

0 ·

Advent965-9427 vipulsparsh-MSFT · Feb 24 at 01:00 PM

Thank you for the response.

But when we do this procedure, does it consider as a 2FA, since what I understand from the above steps, I should use the Certificate authentication, instead of username+password. Correct me if my understanding is wrong.

0 ·

Advent965-9427 Advent965-9427 · Mar 01 at 09:44 AM

@vipulsparsh-MSFT, Could you please clarify my query above here?

0 ·

vipulsparsh-MSFT Advent965-9427 · Mar 02 at 05:33 AM

@Advent965-9427 Apologies for delay. You are absolutely correct, that second procedure treat it as certificate authentication and not username and password. And that cannot be clubbed with conditional access 2FA.

0 ·

Show more comments

question