cancel
Showing results for 
Search instead for 
Did you mean: 
OJ2
Active Contributor

Azure Conditional Access blocking LastPass on iPhone

Hi All

We use Lastpass Enterprise, using federated Azure login.  All works fine on PC's.  Conditional Access in Azure is setup to ensure that users can only log into the SSO resources ( 250+) from InTune managed devices.  It requires that authentication requests from from Chrome or Edge. 
Lastpass has its own browser and does not send the authentication request via Edge or Chrome so therefore its getting blocked and users cannot log in. 
LastPass say that they are aware of this.  its not a fault with their product its more of a change they need to make to enable their product to work with AAD Conditional Access rules.  
Has anyone found a way round this?

Tags (1)
58 REPLIES 58
Robert Czymoch
New Contributor

Called support. Apparently the team that handles this is looking at it. I am expecting a call back once they are done.
rritterson
New Contributor

I followed the help and was able to get an iOS device logged in just fine, but an Android device still popped the error that the device needed to be registered in Intune.

 

I suspect that there's a pending Android app update that hasn't been pushed to the play store yet

Robert Czymoch
New Contributor

Yeah same error on Androids. I do not have an Apple device to test but I will ask someone to test it.

Robert Czymoch
New Contributor

Doesn't work on an Iphone either. Exact same error as Androids.

 

I guess I get to call support back and ask what exactly is going on.

rritterson
New Contributor

We pulled diag logs from an iPhone and an Android device. On iOS you can clearly see the login URL contains the redirect_uri parameter as configured in the app registration, but on Android (app version 5.7.0.8068), the logs don't show that parameter as if the app doesn't yet contain the MSAL components required.

 

The iOS log also has a "useAzureMDMFlow: true" parameter earlier, and Android does not--further evidence the Android app is unaware of the new capabilities. 

 

Edit: Also, iOS app version 5.9 came out today, with release notes officially acknowledging support

Leonux
Active Contributor

It's important the know the details of each conditional policy.

On Android we have this working but using only the "Require device to be marked as compliant" Control.

If you add "Require approved client app" or "Require app protection policy" the login fails... which is somehow expected.

This way if you install the app on the Work profile on Android you should be able to login, but if you try to login using personal profile it should fail. 

This lets us control LastPass data, but the users are able to login using SSO.

 

On iOS we are using two policies one for "All Cloud Apps" with  "Require device to be marked as compliant" Control.

And another one only for specific apps where we chose almost all apps except LastPass with "Require approved client app" or "Require app protection policy".

Here we can't contol LastPass data.....

 

LastPass should be an Approved App, otherwise i don't see a solution for iOS. Or maybe we arew missing something.

rritterson
New Contributor

That's interesting, we're seeing different behavior. On iOS the device shows as compliant and managed:

 

image.png

On Android it doesn't. So even the "require device to be marked complaint" flag fails

 

image.png

Leonux
Active Contributor

 

On Android did you install the LastPass app using Corporate PlayStore?

 

On iOS we also see the device Compliant and managed, but since iOS shares the same APP for work and personal, and if you only use the "require device to be marked complaint", you fail to control Corporate Data on the device, because this allows the user to configure company mail on native iOS app, and this we don't want to do,

 

Leonux_2-1649702078390.png

 

Leonux_4-1649702116388.png

 

 

 

Robert Czymoch
New Contributor

The base controls that should work. 

 

Require Multifactor Authentication.

Require Device to be marked as compliant.

 

Either require one or both.

 

Things like an Approved app or other advanced conditional access policies are option controls that LastPass needs to support. But it should work with one of the above controls at base minimum. 

 

I have tested Multiple devices and cannot get them to work at all. Apps are current from the relevant app/play store. 

 

Would be nice to see some comment by Lastpass themselves?

rritterson
New Contributor

Our app is pushed out as required by Intune through the Intune app on the corporate-provided devices managed by Android Enterprise (we don't use work profiles). Other apps that use MSAL work fine when deployed this way, and I don't think Android Apps would be aware of their deployment method, right? So it's not as though the app wouldn't activate MSAL unless deployed a certain way. 

 

What app version are you using? We've tried 5.7 and 5.8 beta, but neither worked. 

Like you, we have the same issue using "require approved app", on iOS and have the same hesitations about turning it off, though we will probably proceed with Lastpass for now, as gaining federated LP only on compliant devices is a bigger security gain than using the iOS mail app is a loss.