I'm really struggling with our current policy setup. We have conditional access requiring users to be on a corporate network to access sensitive information, but our VPN client authenticates through conditional access before the connection is made. This causes a problem because conditional access fails if the user isn't yet connected to the network, preventing the VPN from establishing a connection. I came into this situation after inheriting this policy, and the previous admin had excluded VPN authentication from conditional access, which wasn't ideal. Now I've reinstated that exclusion at the insistence of our security team, but it's resulted in a flood of issues. I've read about an always-on VPN setup that uses device compliance instead of location as a trigger, but that's a major project that I just can't undertake right now. Is there a compromise that doesn't involve scrapping conditional access or launching a lengthy rollout? We use GlobalProtect with around 200 users on mostly Windows 11 devices, with a few older systems mixed in.
4 Answers
It's essential to clarify what security concerns you're addressing. How can you claim a need for a trusted location while also allowing VPN access? Those two stances contradict each other. In our case, we allow VPN connections for users in a certain group using MFA and hybrid-joined devices, which alleviates some of these issues.
Instead of just excluding the VPN client from the main conditional access, consider setting up a separate conditional access rule. This new rule could require the VPN connection to originate from hybrid-joined devices or even compliant ones, creating a compromise without the hassle of the current catch-22.
One option is to exclude the VPN app from the conditional access policy altogether. Just make sure to communicate this to your security team and send them the tickets they're piling on.
I recommend excluding the VPN from your primary conditional access policy, and then creating a separate policy that restricts VPN access as needed. This could include requiring compliant devices or limiting access to specific regions, thus keeping your security intact.
Honestly, real solutions usually take months to implement, like MDM setups or agents to signal device trust. Just keep that in mind.