Blog Post

Core Infrastructure and Security Blog
11 MIN READ

“Why are my users not prompted for MFA as expected?”

MichaelHildebrand's avatar
MichaelHildebrand
Icon for Microsoft rankMicrosoft
Jun 08, 2020
“MFA” or ‘Multi-Factor Authentication’ is a process where something more than just a username and password is required before granting access to a resource.   This could be a one-time code sent t...
Updated Jun 08, 2020
Version 2.0
Michael Hildebrand
Kasper Jensen's avatar
Kasper Jensen
Brass Contributor
Jun 12, 2020

Thank you for blogging this.

Now, I know you're just a blogger, but I hope some smart people like Caleb Baker or others on the Azure AD/Azure MFA/Conditional Access product teams are reading and following me.

 

Now, to forward a question from the CEO, paraphrased:

"Microsoft can make such an overcomplicated, interconnected solution, but they can't force MFA on connection to the corporate VPN like every other vendor?"

We have placed an order to a competitor VPN vendor because of this problem. We're not ready for a complete zero-trust transformation, we need the corporate VPN, and our CISO and risk manager won't budge this need for MFA every time. We're government, it's just more complicated.

 

A very simple workaround would be for us admins to be able to ignore the MFA claim on the PRT for specific cloud apps, either on the cloud app itself, or in a Conditional Access policy. That way, I'd ignore the MFA claim for the "VPN Server" cloud app (automatically created by RRAS), and our users would get the ideal experience when connecting to the corporate VPN (given we still had Microsoft RRAS .. ).

 

Sign-in frequency isn't enough. Even if you set it to its minimum of 1 hour, it's still an entire hour where users won't need to perform MFA. To add, requiring users to input password is a bad experience. We require MFA for the VPN connection, but not necessarily password.

It isn't too late, I'm a big fan of RRAS, and a big fan of Azure MFA and Conditional Access. Get this out the door ASAP and save yourself a customer 😉

 

I mean, there are lots of other use cases where "just" ignoring logon is a policy nightmare. Password managers, identity/access management systems, internal documentation, etc. It shows some ignorance to customer demand if you "just" excuse the lack of MFA because there's a lot of conditions behind the scenes.

 

Azure MFA NPS Extension is the only alternative, and it's a bad experience. When initiating VPN connection, it simply idles, and there's no way for the user to know that they need to use the Authenticator app on their phone. It increases the need for education, and it requires the user to have Authenticator set up already, or it will just time out. As I said, it's a bad experience, whereas the WAM interactive sign-in dialog is much more user-friendly and can even get the user through Authenticator registration if needed.