I'm trying to figure out the best way to configure Conditional Access and device compliance requirements for employees before they can access resources through our Cloudflare VPN, which will then allow access to company resources like AWS. We already have Conditional Access policies set up and we're managing device compliance through Intune, requiring things like BitLocker and specific OS versions. The goal here is to ensure that employees can only access company apps/resources if their devices are compliant. Does adding Cloudflare VPN or AWS as 'Target Resources' in the Conditional Access settings work for this?
2 Answers
Yes, you can definitely add Cloudflare VPN as a target resource in your Conditional Access policies. However, I'd be cautious about this setup; it can get complicated. You're basically linking Entra, Intune, Cloudflare, and AWS, which introduces multiple points of failure. For instance, if Intune misbehaves after a Windows update, it could block half your team from accessing necessary resources due to compliance issues. Also, remember that Conditional Access checks compliance only at authentication time, not continuously. So, a compliant device in the morning could be compromised by the afternoon without losing access until token refresh happens. It might be worth looking into access gateways like Teleport or StrongDM that combine device trust and resource access without needing a VPN, simplifying compliance management considerably.
Just a heads up that not all applications pass the device ID for authentication. For example, if users are on Android without a work profile or in incognito mode, you might run into issues. It's crucial to have good logging for the apps you know use the device ID and handle those that don’t. Make sure to carve out necessary apps for compliance and consider other MFA methods to cover any gaps.
Good point! I'll definitely keep that in mind when reviewing our app setups. Thanks!