https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141682#M1950 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/141301">@mski7861</a> without the Roaming Client or the VA, Umbrella won't know which user the DNS request comes from. It's the VA that sends the client IP address and user information with the DNS request to the Umbrella cloud.</P> Mon, 08 Jul 2024 19:52:58 GMT Rob Ingram 2024-07-08T19:52:58Z https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141663#M1947 <P>Can I apply and enforce an umbrella DNS policy to a Active Directory user that doesn't have the Umbrella Roaming Client installed?&nbsp;</P> Mon, 08 Jul 2024 19:15:25 GMT https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141663#M1947 mski7861 2024-07-08T19:15:25Z https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141671#M1948 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/141301">@mski7861</a> yes, configure the clients to use the Umbrella Virtual Appliance (VA) for DNS resolution. <A href="https://docs.umbrella.com/deployment-umbrella/docs/1-introduction" target="_blank">https://docs.umbrella.com/deployment-umbrella/docs/1-introduction</A></P> <P>And also ensure the the VA is integrated with AD <A href="https://docs.umbrella.com/deployment-umbrella/docs/active-directory-integration-with-the-virtual-appliances" target="_blank">https://docs.umbrella.com/deployment-umbrella/docs/active-directory-integration-with-the-virtual-appliances</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 08 Jul 2024 19:23:10 GMT https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141671#M1948 Rob Ingram 2024-07-08T19:23:10Z https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141676#M1949 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;thank you for the response.&nbsp; In this case we aren't using the VA nor does the client want another appliance in the environment.&nbsp; We are directly integrated with Azure,</P> <P>I created a test policy configured in allow-only mode and applied the test AD user identity to the policy.&nbsp; The host I tested with had the roaming client installed.&nbsp; I logged into the host (with the RC installed) as the test user defined in the policy and it blocked all internet traffic as expected.&nbsp; I then uninstalled the roaming client and rebooted, then tested the same machine and same user however this time I was able to access all URLs.&nbsp; I even ran the policy tester for the test user and it shows the allow-only policy will be applied.&nbsp;&nbsp;</P> <P>I'm just trying to figure out what is required to apply a policy to a Azure AD user or group identity.&nbsp;</P> Mon, 08 Jul 2024 19:32:08 GMT https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141676#M1949 mski7861 2024-07-08T19:32:08Z https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141682#M1950 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/141301">@mski7861</a> without the Roaming Client or the VA, Umbrella won't know which user the DNS request comes from. It's the VA that sends the client IP address and user information with the DNS request to the Umbrella cloud.</P> Mon, 08 Jul 2024 19:52:58 GMT https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141682#M1950 Rob Ingram 2024-07-08T19:52:58Z https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141692#M1951 <P>Ohhhh so that's where the value of the VA comes into play <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Thank you for the clarification and your response!</P> Mon, 08 Jul 2024 19:59:30 GMT https://community.cisco.com/t5/cloud-security/applying-umbrella-policy-to-active-directory-identities/m-p/5141692#M1951 mski7861 2024-07-08T19:59:30Z