This post is a part of a series.
- Part 1 – FIDO2 and configuration
- Part 2 – Conditional Access policy to allow access only from a compliant device (this post)
- Part 3 – Passwordless SSH login in action
I’ve chosen the scenario where SSH login is only allowed to the user if they are connecting from a compliant device, so I need a Conditional Access policy to enforce that restriction.
Conditional Access Policy
Under cloud apps, I selected “Azure Linux VM Sign-in” and “Azure Windows VM Sign-in”. The demo will just show Linux, but either one will work.
And then I selected to grant access only when the two conditions selected are met:
- Require multi-factor authentication (met by the FIDO2 security key)
- Require device to be marked compliant (per the Microsoft Endpoint Manager compliance policy)
The users have been assigned either “Virtual Machine Administrator Login” or “Virtual Machine User Login” roles.
Additionally, this VM was provisioned to allow SSH using Azure AD credentials.
In part 3 of this series we’ll see the passwordless SSH login in action.