Morpheus integration with Azure AD with "condition access mechanism" is supported or not?

Hello Experts,

One of our customers is planning to integrate Morpheus with Azure AD and they request a condition access mechanism while user log in to Morpheus.

The Morpheus user identity authentication mechanism needs to support real-time judgment of the current authentication risk status through specific conditions and rules, such as to force MFA authentication for geographic area or IP Range (ex. Log in through an IP outside the company, or the authenticated device does not install the latest security patches). Otherwise, if it is a low-risk authentication (ex. login through the company IP), you can log in Morpheus without MFA.

We know Morpheus can integrate AAD an AAD also supports conditional access.

We’d like to confirm with you if conditional access login is achievable while Morpheus integrate with Microsoft AD solutions that support conditional access ?

We appreciate if you could help to check on this and provide your inputs.

Hi @piyush.jain, I hope you are well today.

The local Morpheus authentication itself does not contain conditional access, or any geographic/IP range validation. So, local user authentication in Morpheus or other authentication mechanisms that don’t provide conditional access would be out of scope.

However, if they are using AAD as an authentication mechanism, as you mentioned, and want to turn on conditional access in AAD, I’d expect that to work without issue. In the case of a SAML connection like AAD is, the client does not really interact with Morpheus for authentication or validating that information, that would all be up to the Identity Provider (IdP).

This would be the general process:

  1. Client comes to Morpheus
  2. User clicks the SSO button
  3. The client gets redirected to AAD for authentication, MFA, conditional access, etc. (the IP is sent from the client to AAD directly)
  4. Once all the above is worked out by the IdP, they are sent back to Morpheus with an authentication token to let them in

Hope that answers your question! If not, feel free to elaborate here if I misunderstood.

Thanks a lot for very precise and clear explanation.