Forum Discussion

bart_vermeersch's avatar
bart_vermeersch
Steel Contributor
Mar 27, 2020

Device registration and security/MFA registration

I would like to better understand how the AAD device registration works.

 

In AAD we see byods being registred in AAD when installing configuring Outlook or Teams. Is registration also triggered when configuring other applications (eg OneDrive, Word...)? Is this a setting we can configure?

 

Upon registration of their byod device, users are requested for additional security registration (mfa). Is this a setting we can configure?

 

"Require Multi-Factor auth to join devices" in AAD is set to NO.

 

 

Thanks!

 

  • bflick I think I do. The key thing is a user is not using his password to log in to his device (but using PIN, Windows Hello...) , to be able to perform SSO towards Azure services, this isn't sufficient, you need a password or some additional factor. This triggers device registration. It is the device registration that needs the mfa (not yet sure why exactly).

     

    So to be tested, if you use password to log in to Windows 10 you will not start the device/mfa registration, but SSO will be possible. If you do not use a password to log in to Windows 10 and skip the device/mfa registration you won't get SSO for Teams and Outlook.  

     

    If the user logs into the machine via a new generation credential (PIN, Hello, ..) that is not already included in the existing PRT or there is no existing PRT on the device then the Azure AD MAM plugin will trigger device registration via a request which includes the “amr_values=ngcmfa” parameter and this will be the source of the MFA.

     

    From MS support

     

    • The user is connecting from an Azure AD registered device via a PRT which only contains the password claim for the registration authentication method used(Registration_amr). This means that the device was previously workplace joined to Azure AD without MFA being required as per your current configuration in which MFA is not required. This evaluation is done based on the device authentication request sent to Azure AD.
    • The MFA requirement is enforced by the Azure AD WAM plugin(Microsoft Authentication broker) via the following request parameters “amr_values=ngcmfa”. This is occurring because the user signed into the machine using a new generation credential like a PIN or fingerprint. At this time, because the user signed into the Windows device via a different authentication method than the one included in the PRT(which was password), the authentication broker forces the user to configure MFA so that it can refresh the existing PRT record on the device with the new authentication method used.

    Considering the above information, this behavior is by design and to be expected due to the PRT token refresh process and you can find it better detailed in the following articles:

     

    How is a PRT renewed? - https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-renewed

    When does a PRT get an MFA claim? - https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim

     

    Regards,

     

    Bart

    • bart_vermeersch's avatar
      bart_vermeersch
      Steel Contributor

      Thank you for the suggestions, Moe_Kinani and JonasBack 

       

      We have defined a few conditional access policies, but none of them requires mfa registration. There is only a limited group of users required to use mfa to log on, that's it.

       

      No specific policies are defined in intune. 

      User based MFA is disabled for all our users.

      MFA registration in Azure Identity protection is also disabled.

       

      Maybe I should open a support ticket.

       

      Bart

  • JonasBack's avatar
    JonasBack
    Steel Contributor
    By default I don’t think you should get MFA when peforming Azure AD registration of a device. I think this because (as another poster mentioned) either Conditional Access, or the fact the user is enabled and enforced for MFA (portal.azure.com > Azure Active Directory > Users > Multi Factor Authentication) or even Security Defaults enabled.

    I have not found any way to disable this behaviour of BYOD when using new versions of Office. The only way to skip Azure AD Registration is to let the user cancel the wizard of registration.

    The only downside I see is that you get a bunch of ”unknown personal devices” in your Azure AD.
  • Michael Tang's avatar
    Michael Tang
    Brass Contributor

    bart_vermeersch 

     

    Unless the user OOBE joined their own device at the time of setup.

    BYOD or connecting to Outlook or Teams on devices usually show up as Azure AD registered and not as Azure AD Joined.   If MAM enrollment is enabled.

     

    If you enabled MAM enrollment most of the time those policies are App protection policies for Windows 10 without enrollment. 

     

    Conditional Access can still be enforced for MFA on non domain joined devices.

Resources