Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
2
Helpful
5
Replies

ISE Condition: Device in AZURE Group

Go to solution
fabioairoldi
Level 1
Level 1

‎05-31-2024 12:47 AM

Hello all,

I am relatively new to Cisco ISE and all the possible conditions; I would like to know how to create the following condition:

check if a device is member of an Azure AD group.

The device will be Azure only (so no registration on-prem).

I am running ISE version 3.2.0.542 patch 5

The Azure AD tenant has already been configured as REST External Identity Source.

thanks for the help

F.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-02-2024 03:04 PM

No, it is not currently possible to Authorize an Entra Joined Device against Entra ID using the REST ID function. Only User Authorization is possible. See my blog linked below for current options supported in relation to ISE and EntraID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

 

View solution in original post

5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎06-02-2024 01:28 PM

I don't have access to Azure, but if you have the External Identity Source configured, then it will appear in the Policy Set, when you create a new Authorization Rule.

ArneBier_1-1717360010474.png

 

In my case I have an on-prem AD - but ISE will list your Azure Identity Source in the drop-downlist

ArneBier_0-1717359936477.png

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-02-2024 03:04 PM

No, it is not currently possible to Authorize an Entra Joined Device against Entra ID using the REST ID function. Only User Authorization is possible. See my blog linked below for current options supported in relation to ISE and EntraID.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635

 

Go to solution
Arne Bier
VIP
VIP

‎06-02-2024 04:54 PM

thanks @Greg Gibbs  - it shows how little (zero) engagement I have with this stuff in my day to day.

0 Helpful

Go to solution
fabioairoldi
Level 1
Level 1

‎06-03-2024 06:10 AM

Thanks @Greg Gibbs 

am I to understand that it's also not possible to check if a device is enrolled in Entra ID? So no group check, just authenticate based on whether or not it's present.

Currently I am authenticating based on a simple check on the Certificate - Issuer CN.

May I ask what would a better way to make this rule stricter WITHOUT using any USER-based conditions?

 

Thanks

F.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to fabioairoldi

‎06-03-2024 03:04 PM

Correct. ISE currently does not have the ability to check anything related to the registration/join status of a Device in Entra ID as part of the Authentication or Authorization process. The Device is only authenticated based on a valid/trusted certificate presented to ISE.

Using the Intune MDM registration/compliance status of the device as a condition for authorization is currently the best option for additional security control.

0 Helpful
Customers Also Viewed These Support Documents