Forum Discussion

Brass Contributor

Jul 28, 2020

Double MFA when logging into Win10 with SAML-federated AAD identity

Our environment is predominantly Mac + GSuite. We have some users who need Office Apps but GSuite is our collaboration platform. We have a few Windows users. I followed https://github.com/IAmFrench/G...

Access Management

Azure Active Directory (AAD)

Identity Management

MVP

Jul 29, 2020

You probably have Security defaults enabled: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

More generally speaking, Azure AD will honor MFA claims inserted by other IdPs, but I'm not sure if this is the case for G-Suite federation.

OrionJason
Brass Contributor
Jul 29, 2020
VasilMichev I did enable Security Defaults as indicated in that link. I also went back in an toggled it back to No hoping that would take care of it but it did not change the issue. Once that setting is enabled, does toggling it off in the UI only revert some settings? Is there a list of what the security defaults are and their related Powershell commands to verify the UI un-sets them -or manually unset them as needed?
- VasilMichev
  MVP
  Jul 29, 2020
  The article lists what exactly Security defaults "translates" to, first paragraph on top. You wont see them in other parts of the UI.
  - OrionJason
    Brass Contributor
    Jul 30, 2020
    VasilMichev I see the list. I am having some difficulty finding a good way to determine the current state of those settings.
    The group setting is off:
    Specifically I want to make sure that these 2 are not enabled for the federated domain:
    Requiring all users to register for Azure Multi-Factor Authentication.
    Requiring users to perform multi-factor authentication when necessary.
    
    Thanks
    --Jason

Resources