topic Azure AD - Device Group in SASE and Remote Access

Azure AD - Device Group

michele — Tue, 13 Jun 2023 14:10:59 GMT

If I connect Azure AD as an identity provider, can I then also authorize by device group on azure in addition to by user group? my goal would be to enable a user group only from a particular device group.

Re: Azure AD - Device Group

PhoneBoy — Tue, 13 Jun 2023 18:55:52 GMT

As long as the group comes across in the SAML Assertion and there is a local group created for it (of the form EXT_ID_xx where xx is the case sensitive name of the group), I don't see why it wouldn't work.

Re: Azure AD - Device Group

michele — Wed, 14 Jun 2023 06:06:24 GMT

Thank you.
Right now windows clients, I connect in VPN via capsule component (configured on windows built-in vpn); since it only requires user password to connect, I wanted to understand if I could add in addition to a user group, a managed device group; right now the user groups are read via LDAP (AD onprem), however, I would like to understand if I can connect the user/device groups directly on Azure and not change the current connection method (Capusle with user/password) as I would not want to go and install the dedicated checkpoint software to connect in vpn

Re: Azure AD - Device Group

PhoneBoy — Wed, 14 Jun 2023 16:57:12 GMT

Not currently possible as the authentication method has to be SAML to obtain the user's groups from Azure AD.

Re: Azure AD - Device Group

michele — Thu, 22 Jun 2023 11:00:46 GMT

Is there anything I can do so that I can always use capsules though increasing security?

Re: Azure AD - Device Group

PhoneBoy — Thu, 22 Jun 2023 17:12:10 GMT

This isn't supported with the Capsule VPN clients.