https://community.checkpoint.com/t5/SASE-and-Remote-Access/MFA-Azure-disabling-Capsule/m-p/153232#M396 <P>Hello,</P><P>I configured MFA with Azure on a customer network to be able to authenticate VPN connections from the remote users.</P><P>As I know, there is no option to configure Capsule VPN with MFA Azure, so I decided to disable Capsule as a method in the VPN settings and only allow Endpoint Security to enforce users to only use Azure MFA.</P><P>&nbsp;</P><P>But there's is 1 device from the CEO (an IPAD) that it's mandatory that can be able to connect to the VPN.</P><P>So there is a way to enable Capsule but only 1 user or 1 device be able to authenticate?<BR /><SPAN>Or exists some method to integrate Capsule with MFA Azure?</SPAN></P><P>The only solution that I found is to deactivate all methods except Endpoint Security and Capsule for IOS.</P><P>Thank you</P> Mon, 18 Jul 2022 12:37:06 GMT rapsodiaverde 2022-07-18T12:37:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/MFA-Azure-disabling-Capsule/m-p/153232#M396 <P>Hello,</P><P>I configured MFA with Azure on a customer network to be able to authenticate VPN connections from the remote users.</P><P>As I know, there is no option to configure Capsule VPN with MFA Azure, so I decided to disable Capsule as a method in the VPN settings and only allow Endpoint Security to enforce users to only use Azure MFA.</P><P>&nbsp;</P><P>But there's is 1 device from the CEO (an IPAD) that it's mandatory that can be able to connect to the VPN.</P><P>So there is a way to enable Capsule but only 1 user or 1 device be able to authenticate?<BR /><SPAN>Or exists some method to integrate Capsule with MFA Azure?</SPAN></P><P>The only solution that I found is to deactivate all methods except Endpoint Security and Capsule for IOS.</P><P>Thank you</P> Mon, 18 Jul 2022 12:37:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/MFA-Azure-disabling-Capsule/m-p/153232#M396 rapsodiaverde 2022-07-18T12:37:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/MFA-Azure-disabling-Capsule/m-p/153651#M397 <P>I assume you mean MFA with Azure AD.<BR />This is currently not supported on Capsule Connect for iOS.</P> <P>While you cannot prevent any user from authenticating to the VPN with Capsule Connect, you can prevent users who do authenticate from actually connecting to anything.<BR />This ultimately involves creating two Access Roles:</P> <UL> <LI>One for the CEO (only) connecting via Capsule Connect</LI> <LI>One for everyone else connecting via Capsule Connect</LI> </UL> <P>In your rulebase, you'll end up creating two rules: One that allows the CEO to connect to the relevant resources, and another that denies all access from other users.<BR />See the following on creating Access Roles:&nbsp;<A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide/Topics-IDAG/Introduction-Access-Role-Objects.htm?tocpath=Introduction%20to%20Identity%20Awareness%7C_____1" target="_blank">https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide/Topics-IDAG/Introduction-Access-Role-Objects.htm?tocpath=Introduction%20to%20Identity%20Awareness%7C_____1</A>&nbsp;</P> <P>Note that you will need to enable Identity Awareness if it's not enabled already and enable Remote Access as one of the Identity Sources (not enabled by default).</P> Fri, 22 Jul 2022 19:58:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/MFA-Azure-disabling-Capsule/m-p/153651#M397 PhoneBoy 2022-07-22T19:58:43Z