Security

Hello. Can Entra Conditional Access be used to apply restrictions or limitations to Aruba Cloud Auth? Example scenario is to restrict SSO login to configured Aruba Cloud Auth when attempting to log in from a non company-managed device. Thanks.

While I have not tried, I would say that with Conditional Access you can restrict the onboarding process. After the onboarding, there  is no interaction with the SSO as a client certificate will be used for the actual network authentication. Removed/disabled users will be periodically verified against Entra ID to prevent further network access.

Hello. Can Entra Conditional Access be used to apply restrictions or limitations to Aruba Cloud Auth? Example scenario is to restrict SSO login to configured Aruba Cloud Auth when attempting to log in from a non company-managed device. Thanks.

While I have not tried, I would say that with Conditional Access you can restrict the onboarding process. After the onboarding, there  is no interaction with the SSO as a client certificate will be used for the actual network authentication. Removed/disabled users will be periodically verified against Entra ID to prevent further network access.

Hello. Can Entra Conditional Access be used to apply restrictions or limitations to Aruba Cloud Auth? Example scenario is to restrict SSO login to configured Aruba Cloud Auth when attempting to log in from a non company-managed device. Thanks.

I have not seen such. Conditional Access is something in Entra ID, and Cloud Auth just consumes that as functionality.

Also, a conditional access policy depends on your own policy/preference to allow or disallow users/devices access to onboarding their devices, and what access they would get after onboarding. A generic guidance would be to determine what access you would allow to onboarded devices. If that is full network access to the internal network, putting a restriction on non-corporate devices would make sense, if you allow internet only, putting a restriction on corporate devices may make sense as well, as the internet only access may bypass your corporate security products like firewalls, IDS, proxies, etc. It really depends.

While I have not tried, I would say that with Conditional Access you can restrict the onboarding process. After the onboarding, there  is no interaction with the SSO as a client certificate will be used for the actual network authentication. Removed/disabled users will be periodically verified against Entra ID to prevent further network access.

Hello. Can Entra Conditional Access be used to apply restrictions or limitations to Aruba Cloud Auth? Example scenario is to restrict SSO login to configured Aruba Cloud Auth when attempting to log in from a non company-managed device. Thanks.

I have not seen such. Conditional Access is something in Entra ID, and Cloud Auth just consumes that as functionality.

Also, a conditional access policy depends on your own policy/preference to allow or disallow users/devices access to onboarding their devices, and what access they would get after onboarding. A generic guidance would be to determine what access you would allow to onboarded devices. If that is full network access to the internal network, putting a restriction on non-corporate devices would make sense, if you allow internet only, putting a restriction on corporate devices may make sense as well, as the internet only access may bypass your corporate security products like firewalls, IDS, proxies, etc. It really depends.

While I have not tried, I would say that with Conditional Access you can restrict the onboarding process. After the onboarding, there  is no interaction with the SSO as a client certificate will be used for the actual network authentication. Removed/disabled users will be periodically verified against Entra ID to prevent further network access.

Hello. Can Entra Conditional Access be used to apply restrictions or limitations to Aruba Cloud Auth? Example scenario is to restrict SSO login to configured Aruba Cloud Auth when attempting to log in from a non company-managed device. Thanks.

If you are able to share how this was done, it may help others. The question pops up every now and then, and at least now I have a confirmation it actually works, but still not how it should be done.

I have not seen such. Conditional Access is something in Entra ID, and Cloud Auth just consumes that as functionality.

Also, a conditional access policy depends on your own policy/preference to allow or disallow users/devices access to onboarding their devices, and what access they would get after onboarding. A generic guidance would be to determine what access you would allow to onboarded devices. If that is full network access to the internal network, putting a restriction on non-corporate devices would make sense, if you allow internet only, putting a restriction on corporate devices may make sense as well, as the internet only access may bypass your corporate security products like firewalls, IDS, proxies, etc. It really depends.

While I have not tried, I would say that with Conditional Access you can restrict the onboarding process. After the onboarding, there  is no interaction with the SSO as a client certificate will be used for the actual network authentication. Removed/disabled users will be periodically verified against Entra ID to prevent further network access.

Hello. Can Entra Conditional Access be used to apply restrictions or limitations to Aruba Cloud Auth? Example scenario is to restrict SSO login to configured Aruba Cloud Auth when attempting to log in from a non company-managed device. Thanks.