cancel
Showing results for 
Search instead for 
Did you mean: 
Leonux
Active Contributor

Re: LastPass Launches Support for Condition Access

There's a strange behaviour with policies with All Cloud Apps scope and simulataneosly selecting LastPass App as an exception, somehow that doesn't seem to work as "we think" is intendend. 

This policy will not  skip LastPass valition and fails the login.

Our current best solution for iOS uses a combination of two policies and one of them uses  the scope  "Selected Apps" where we select all apps and leave LastPass unselected.

rritterson
New Contributor

Re: LastPass Launches Support for Condition Access

I went through a 4 month long ticket with MS engineering and T3 LP support to troubleshoot this issue back in 2020, and MS told me that the reason the exception does not work as you would expect is because the LP app calls Graph API commands that are considered beyond the scope of a single app. (i.e., the Graph API is a separate app) So, even though you exclude the app, you're not excluding the Graph commands.

For that reason, I consider constructing a policy the way you did to be a bit of a cybersecurity risk as you aren't actually adding all of the apps that could apply--apparently there are more than just Graph you can't choose under "selected apps"
Leonux
Active Contributor

Re: LastPass Launches Support for Condition Access

Yep thats true @rritterson 

Our best solution for iOS is a mix of two policies :

 

Policy 1 

 

All Cloud apps

Require Compliant Device

 

Policy 2 

 

Selected apps - Where we select all apps except LastPass

Require Approved and APP Protect Policy

 

This will force device enrolment on any APP except LastpPass and unfortunetly will fail to protect LastPass Data.

 

On Android using only  "Require Compliant Device" on All Cloud Apps will force the use of Work profile apps and that will force the enrolment so here it seems we don't have any issue.

 

 

rritterson
New Contributor

Re: LastPass Launches Support for Condition Access

If I try to block Apple mail only by choosing "Apple Internet Accounts" and then "Require Approved App", the conditional access doesn't apply because it says Apple Internet Accounts doesn't match Apple Internet Accounts. I presume this is the same issue as Lastpass in reverse -- do you know what other apps you have to add to get that enforced?

Leonux
Active Contributor

Re: LastPass Launches Support for Condition Access

Yep it should be the same problem, because LastPass uses the "GRAPH API" resource and Apple Internet Accounts will problably use "Office 365 Exchange Online" resource.

 

In order to block native iOS APP you will need to add the APP Office 365 each is a bundle of almost if not all Office 365 ecosystem and require "Approved APP" and "APP Policy Protection ". This will force the enrolment.

 

You can the APP bundle here.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

rritterson
New Contributor

Re: LastPass Launches Support for Condition Access

Three months later we reached resolution with our Android devices. You have to install a workaccount certificate to get MDM-controlled logins to work. I have asked LP support to add this requirement to the documentation

 

For recently enrolled personal devices, the additional certificate happens automatically (which is why SSO works on some devices OOB). For personal devices enrolled a long time ago, you can follow these instructions to use the Company Portal App: Install missing required certificate | Microsoft Docs

 

For corporate/fully managed devices, the same control is in Microsoft Authenticator: Quick tip: Enable browser access on Android Enterprise corporate-owned devices – All about Microsoft...

rellington
New Contributor

Re: LastPass Launches Support for Condition Access

If anyone is interested I found a workaround for this in iOS if you aren't able to login due to Conditional Access blocks from the LastPass App not passing the device details. 

 

On the iPhone go to Settings-->Passwords-->AutoFill Passwords

If LastPass is not checked, check it and you'll be able to log in here to LastPass which then logs the LastPass app in. If LastPass is already checked, uncheck it then check it again to pop the auth page and you'll be able to log in with Conditional Access policy in place.

rritterson
New Contributor

Re: LastPass Launches Support for Condition Access

That sounds like an unintentional security flaw to me. Does GoTo/Lastpass have a bug bounty program? You might get paid to report that...

rellington
New Contributor

Re: LastPass Launches Support for Condition Access

I don't think it's a security flaw because it actually just uses the correct browser that way which is able to pass the device status. If I look at the Azure logs I see that the Conditional Access policy is still being hit.
EnterpriseCusto
Visitor

Re: Azure Conditional Access blocking LastPass on iPhone

I know this is an old post, but having the same issue.

 

Microsoft is saying the app is not built well (not surprised) and should not be using Graph API access when attempting to sign-in as there is no way to exclude this app from our strict conditional access policies.