Hi there, have a client who has a bunch of BYOD devices for their folks in the field. These are personal devices that we can’t enroll in intune or otherwise manage. We were thinking of setting up a VPN in Azure, having them connect to said VPN and then restricting access to 365 via conditional access policy that only allowed that IP. Is this a good way to go about it? Is there a way to create a simple VPN in Azure that doesn’t require a cert?
Thank you. Feel free to point out anything obvious I may have missed! We usually deal with clients that have company-managed devices we enroll in intune, so this one’s new for us.
if you don’t control it, you don’t want it on your network. you don’t know what kind of issues, viruses, bugs, etc that are on those devices. if they need access to a particular web application, make it public facing with a login or something. I wouldn’t trust a unsecured device on any of my clients networks, unless they sign a waiver that they willingly accept the risks of doing so.
Azure Virtual Desktop. Avoid allowing network access from a personal device.
What about Mobile Application Management to set policies for mobile apps? Then use Conditional Access to restrict M365 Access to only those applications.
This exactly what personal phone intune is for. Puts work resources in protected bucket on phone. Can stop movement of data to personal storage etc…
If they are using personal phone for work
Email etc… this is much safer for both of you.
Phone Can then be azure compliant and you can use conditional access.
Another outside the box option and potentially easier to manage is a jump VM using Azure Virtual Desktop. There’s still the risk of the client BYOD device being infected with a keylogger.
Check out Perimeter 81 for AOVPN. You can lock down CA policies to allow devices connecting via the P81 gateway IP. P81 also has a device posture check that can be set to look for presence of apps (like EDR) or registry settings prior to allowing connection to the VPN.
I wouldn’t use VPN for this. Look into a zero trust platform (ZTNA)
Microsoft has App Protection Policies (APP) for unmanaged Windows, iOS, and Android devices.
ok I use this, but I also want to use SSO, and so im having.some correlation errors because of some dependency being blocked also
Microsoft Graph Command Line Tools
Windows Azure Service Management API
there used to be a Microsoft entry resource I could exclude, it not there anymore
This is really helpful, thank you!