locked
Conditional access not prompting users for MFA RRS feed

  • Question

  • Hi,

    Hoping someone has seen this and can point me in the right direction.

    We have a couple of conditional access policies set up in AAD, one that blocks users that arent on a trusted site and another that allows users access from untrusted locations if MFA is applied. Users are assigned one policy or the other not both. The block policy works fine, but the MFA policy allows the user to connect regardles of location.

    The What IF tool shows the users getting the policy correctly based on IP:
    
    Windows10_Allow_Untrusted_MFA
    Require multi-factor authentication

    And according to the sign in log MFA was required and done, the result says:
    • USER
       
      Kathryn Janeway
    • USERNAME
       
      kat.janeway@blahblahblah.com
    • APPLICATION ID
       
      00000006-0000-0ff1-ce00-000000000000
    • APPLICATION
      Microsoft Office 365 Portal
    • CLIENT
       
      ;Windows 10;Edge 16.1629;
    • LOCATION
       
      Somewhere
    • IP ADDRESS
       
      ::Untrusted IP::
    • DATE
       
      5/17/2018, 8:44:37 AM
    • MFA REQUIRED
       
      Yes
    • MFA AUTH METHOD
       
    • MFA AUTH DETAIL
       
    • MFA RESULT
      MFA requirement satisfied by claim in the token
    • SIGN-IN STATUS
       
      Success

    I'm obviously missing something but we need the users to be prompted for MFA every time they sign in when not on once of our sites.
    • Edited by Matt_AWF Thursday, May 17, 2018 8:18 AM
    Thursday, May 17, 2018 8:16 AM

All replies

  • So when your users are logging in from outside your trusted locations, they are prompted for the MFA. Once the MFA challenge is completed, they would be granted access.

    As per the WhatIF results, the MFA requirement is "satisfied" - hence the users have been granted access.

    Since you mentioned that you need the users to be MFA challenged when they are logging in from untrusted locations, the conditional access policy in this case is in conflict.

     

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    Thursday, May 17, 2018 2:45 PM
  • Sorry no - when user are loging in from outside they are NOT prompted, they just gain access. The logs show that the MFA is satisfied by the claim in the token - the user doesn't actually perform it, they can log in regardless of location.

    Thursday, May 17, 2018 4:41 PM
  • Could it be that when the users are logging in from the untrusted location, already have a previously authenticated session running on the device(s) ?

    Thursday, May 17, 2018 5:48 PM
  • It seems thats exactly what is happening, but after a restart they still arent prompted, somehow the mfa is being marked as completed in the existing token, I need to make sure that if someone takes a machine out of an office they are prompted for MFA every time they log in. That seem to be the most basic requirement of using mfa.
    Friday, May 18, 2018 7:27 AM
  • In addition to Neelesh response, suggest you to refer the following documentation link on how conditional access policy will work for users when they login to machine from outside of the organization. If the conditional policies are applied. See if this helps.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

    -----------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here.

    • Proposed as answer by YASWANTH MADI Friday, May 25, 2018 3:50 PM
    Friday, May 25, 2018 3:50 PM
  • Sorry no - when user are loging in from outside they are NOT prompted, they just gain access. The logs show that the MFA is satisfied by the claim in the token - the user doesn't actually perform it, they can log in regardless of location.

    Hi Matt,

    In some scenarios, multi-factor authentication does not require a prompt. For instance, when Captain Janeway uses Windows Hello to sign into a (Hybrid) Azure AD Joined device, that is equipped with a TPM chip, you'll see that her claim token would indeed carry the authenticationmethods claimtype. You can verify it using the AD FS Claims X-Ray functionality on Microsoft's AD FS Help page. Other simple ways are the SSO Tracer and SAML Tracer plug-in for FireFox.

    With the latest versions of Azure AD Connect and versions of Windows 10 beyond version 1607, the Hybrid Azure AD Join feature kicks in automatically when you include domain-joined devices in scope of Azure AD Connect.

    It might feel counter-intuitive to have multi-factor authentication without prompts, but Microsoft feels the identity check for people using Azure AD-joined devices with TPM devices is sufficient to satisfy the MFA requirement. If you have AD FS, you may require a specific multi-factor authentication method. Azure AD does not offer that functionality as part of Conditional Access (yet).

    Monday, May 28, 2018 8:14 AM
  • Hello, you mentioned both Hybrid Azure AD Joined devices. Would this also apply to Azure AD Registered (Workplace Join) devices?
    Wednesday, July 18, 2018 8:38 PM
  • Hello, you mentioned both Hybrid Azure AD Joined devices. Would this also apply to Azure AD Registered (Workplace Join) devices?

    I would also like some clarification on perezjs's question if anyone can confirm?

    I see Conditional Access only MFA, Compliant, Hybrid Azure AD Joined or Approved App as the Access Controls.

    I see Azure AD Registered devices have a compliance status of N/A so don't think they can ever satisfy this condition.

    Can someone confirm if  in reality 'Hybrid Azure AD Joined' also cover Azure AD Registered though?

    Thanks, Ryan.


    Friday, November 9, 2018 7:55 AM
  • Hi Matt,

    We have been having the same issue trying to use conditional access for Windows AlwaysOn VPN connectivity. We want end-users to be prompted for MFA when connecting to AlwaysOnVPN.

    We did a little bit of research and found out what might be the probable cause but are yet to find a way around it. It's to do with MFA Trusted IPs and the check box that's says to "Skip multi-factor authentication for requests from federated users on my intranet". I have attached some screenshots from our environment which should give you an idea where to check. In our case when connecting to AlwaysOn VPN the local IP is recognized as an intranet IP due to the authentication claim sent to the ADFS server.

    Hope this information will be of some use.

    Monday, December 17, 2018 7:34 AM
  • I have the same issue.

    I am using MS Edge in a complaint ( Azure AD registered) device with a professional account linked, and from an untrusted IP. MFA granted me access.

    I understand that somehow Edge is providing a certificate or token to MFA in order to bypass that step.

    Later on I see in auditLogs/signIns that MFA result is: "MFA requirement satisfied by claim in the token".

    I think that the untrested IP rule/condition should prevail.

    Wednesday, March 20, 2019 1:23 PM
  • So I got in contact with Microsoft support who escalated to the engineers.

    All of our devices we used for test are Windows 10 - some 1803, some 1809. All are Hybrid Azure AD Joined. We wanted to use Azure AD Conditional Access for multi factor and device compliance for VPN.

    If you run dsregcmd /status on one of your clients, you get output like this:

    AzureAdPrt : YES

    AzureAdPrtUpdateTime : 2019-04-03 07:18:12.000 UTC

    AzureAdPrtExpiryTime : 2019-04-17 07:18:25.000 UTC

    So the Primary Refresh Token (PRT) is valid for 14 days, this PRT is periodically refreshed if you have a connection to Azure AD. When your devices are Hybrid Azure AD Joined, a valid MFA claim is included in the PRT and so your devices will always pass MFA and will never prompt for MFA for the user that is assigned to the Hybrid AAD Joined device.

    There is no way to change this, there is no way to prompt for another MFA factor and nothing seems to be planned from the engineers - at least we haven't been told.

    Wednesday, April 3, 2019 9:30 AM
  • Hi Matt,

    Ensure your individual users have MFA set to either Enabled or Enforced. We just resolved the exact same issue, and the users who weren't being prompted for MFA, despite the conditional access policy saying they should, had MFA set to Disabled on their account.

    Friday, April 12, 2019 6:06 AM
  • If you run dsregcmd /status on one of your clients, you get output like this:

    AzureAdPrt : YES

    AzureAdPrtUpdateTime : 2019-04-03 07:18:12.000 UTC

    AzureAdPrtExpiryTime : 2019-04-17 07:18:25.000 UTC


    What Kasper shared appears to line up with what I'm understanding and seeing.  Thanks for the confirmation and feedback, Kasper!

    nick

    Tuesday, April 23, 2019 6:45 PM
  • We just rolled out MFA to our users and I'm in the process of testing Azure SAML sign in with our Cisco AnyConnect. I expected to be prompted for MFA off site, but I'm seeing the same thing as above.

    I understand that a hybrid joined device would have a timer, but is there really no way to force MFA for a particular application, even if a trusted device is on an untrusted IP range? My conditional access policy requiring users of the app in any location to require MFA is being reported as 'Not Applied'

    Friday, November 15, 2019 2:10 AM
  • Is the app configured for Single Sign-on?

    Supported apps and clients

    Conditional Access App Control currently supports SAML and Open ID Connect apps configured with single sign-on, along with web apps hosted on-prem configured with the Azure AD App Proxy.

    https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad


    nick

    Monday, November 18, 2019 6:26 PM
  • It is, we have it set up to use SAML Authentication between our ASA backed AnyConnect clients and our Azure AD instance. The devices are Hybrid joined, and running 1903.

    I just don't feel 100% comfortable with there not being a way to enforce 2FA even if the device is hybrid joined and is still within the 14 day Primary Refresh Token window.  It feels like with conditional access being an option I should be able to override the token in the event the user attempts to access this specific application.

    Thursday, November 21, 2019 1:35 PM