The last couple of months I worked together with Microsoft on protecting the Windows 10 AlwaysOn VPN connection with AzureAD Conditional Access. As I’ve explained in this blogpost I found a strange issue where a user was able to connect without having being compliant to the Conditional Access request. I described that in this blogpost. After publishing that blogpost Microsoft came back to me that even that configuration is not the ‘total’ solution. The reason is that the VPN backend (RAS or NPS) should enforce the use of the AzureAD Conditional Access certificate. In this blogpost I will explain the steps needed to get this configured.
Continue reading
Conditional Access
Join me at the Tech Summit AMSTERDAM Next Week!
StandardNext week I will be speaking on the Microsoft Tech Summit which takes place in the Amsterdam RAI. On Wednesday the 28th I will be speaking about ‘Protect your Windows 10 VPN solution with AzureAD Conditional Access’. Beside my own session I will also take part in the Microsoft 365 Keynote where we will share our KPN Microsoft 365 Migration experiences. At the end of the day I will also be present on the ‘Ask-the-Experts’ session. On Thursday I will also be at the Tech Summit but just as an attendee 
. I hope to see you at my session in the The Hub Theater.
Session Abstract:
In this demo-rich session I will discuss the Windows 10 AlwaysOn VPN solution. Beside the solution I will also show how we can publish the VPN through Microsoft Intune to our Windows 10 workstations and how we can protect the AlwaysOn VPN with AzureAD Conditional Access. Come to this session if you want to learn more about the AlwaysOn VPN and how to protect it with AzureAD Conditional Access.
Windows 10 AlwaysOn Conditional Access Connection Fix
StandardLast year I wrote a couple of blogposts about the Windows 10 AlwaysOn VPN solution with AzureAD Conditional Access. You can find the blogposts here:
- Windows 10 AlwaysOn VPN with Conditional Access – Part 1
- Windows 10 AlwaysOn VPN with Conditional Access – Part 2
- Windows 10 AlwaysOn VPN with Conditional Access – Part 3
After testing this solution more and more I had a strange issue where the user was able to set-up a AlwaysOn VPN connection even when the conditional access conditions were not met. So if my conditional access policy was requiring a compliant device I was able to connect with a non compliant device. I could do this by clicking on the X (Close) icon when I was in the Conditional Access flow. Together with Microsoft I’ve investigated this and a solution has been found.
Intune Device Compliance Notifications
StandardThis weeks short blogpost is all about the new Device Compliance Notification functionality in Microsoft Intune. With this new option you can send notifications to your users when the device of the user becomes non-compliant. This is a great new way of informing users about the compliance state of their device. When using Device Compliance in AzureAD Conditional Access it’s very important to inform your users about the compliance state of the device. Users can view the compliance state in the Intune Company portal and this is just a new additional functionality.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 3
StandardThis is the last part of the blogpost series about Windows 10 AlwaysOn VPN with AzureAD Conditional Access. In the first part I described what infrastructure is needed to get up and running with the Windows 10 AlwaysOn VPN. The second part was about the configuration which was needed to add AzureAD Conditional Access to the configuration. In the second post I also showed how MFA can be enforced on AlwaysOn VPN connections with AzureAD Conditional Access. In this last part I want to show you that AzureAD can also enforce a compliant device and I want to describe the scenario of blocking access to the AlwaysOn VPN.
Continue reading
Scenario: Using both Intune Device and App Based Conditional Access – conclusion
StandardLast week I visited IT/DEV Connections in San Francisco. During this week I visited some great sessions and I talked to some great people. During the last day I visited the sessions of Simon May (PM within the Intune team of Microsoft). I discussed the Conditional Access scenario where I wanted to combine both App and Device Based Conditional Access. During this discussion we together both concluded that this scenario must now be possible. With this blogpost I want to provide an update on this scenario.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 2
StandardThis is the second part of the series about the Windows 10 AlwaysOn VPN solution. In the first part, which you can find here, I described how to set up the infrastructure for the AlwaysOn VPN solution. The infrastructure which is described in that blogpost is a prerequisite for this blogpost. This blogpost will focus on the configuration needed to add AzureAD Conditional Access to the solution. With AzureAD Conditional Access we add a great set of capabilities to control who can connect to the VPN solution and which conditions the user must meet before the connection can be made. In this blogpost I configure the first scenario and that is enforcing a Multi-Factor authentication request before the VPN connection can be activated.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 1
StandardIn this series of blogposts I want to show you how you can use AzureAD Conditional Access to protect your Windows 10 / Server 2016 AlwaysOn VPN solution (deployed with Intune). This first part of the series will describe the initial requirements and setup of the infrastructure which is needed for the AlwaysOn VPN solution. The second part will focus on the configuration needed to add AzureAD Conditional Access for VPN connections to the flow and the last part of the series will focus on testing the Conditional Access features against AlwaysOn VPN connections. But let’s start with the description of the needed components and the initial configuration of those components.
Allow or Block Windows 10 versions accessing corporate data
StandardWith this blogpost I want to focus on controlling which Windows 10 versions can access corporate date and which versions will be blocked when accessing corporate date. To achieve this I’m using AzureAD Conditional Access together with Compliance Policies configured in Microsoft Intune. In this blogpost I want to focus on the scenario to only allow Windows 10 versions which are receiving updates and are supported by Microsoft. The second scenario is about allowing your users to run Insider Builds for testing purposes but block them to connect to corporate services and data.
Scenario: Using both Intune Device and App Based Conditional Access – Part 3
StandardIn this part of the series around using both Device and App Conditional Access for securing Exchange Online I’m focusing on providing a user self-service solution to choose between ActiveSync or MAM Managed Exchange Online access. In the first part of the series I focused on securing Exchange Online Browser and ActiveSync access and in the second part I focused on securing App access to Exchange Online. After both blogposts the conclusion was that Device and App Conditional Access cannot co-exists in the scenario where we want to secure ActiveSync connections and provide Outlook App access to not-MDM enrolled mobile devices. Based on the tests and the documentation the user need to choose between using ActiveSync or using the Outlook App (not-enrolled). In this blogpost I want to share a solution where the user can choose between the scenarios using self-service.
Continue reading