Forum Discussion
Is it possible to prompt a user to authenticate through MS Authenticator when their risk increases?
joeldavideng we manually increase the risk of a user when we discover a breach somewhere else.
That way, the user is prompted for a password change (forcing MFA is not possible ATM).
I'll follow ChristianJBergstrom . Here is a link with all informations about Identity Protection.
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Best regards,
Schnittlauch
"First, No system is safe. Second, Aim for the impossible. Third no Backup, no Mercy" - Schnittlauch
My answer helped you? Don't forget to leave a like. Also mark the answer as solved when your problem is solved. 🙂
Schnittlauch and @ChristianJBergstrom , thanks for the replies. When I was reading through the docs for Identity Protection, I saw that you can configure User Risk policies, which ultimately lead to a Block or Allow (with password change) option, or you could configure Sign In Risk policies, which lead to Block or Allow (with MFA prompt). I am actually looking for a blend of the two, where users aren't necessarily signing into any new applications, but are exhibiting enough risk I would like them to confirm their identity in the Authenticator app.
I would like to refine my question to, Is is possible to prompt a user to authenticate through the MS Authenticator app on demand?
joeldavideng Hello, if you have AAD P2 with Identity Protection, sign-in risk and user-risk can be evaluated as part of a conditional access policy. If you then select "require MFA" and also have configured the authenticator app as the only MFA option it should be triggered.
Conditions in Conditional Access policy - Azure Active Directory | Microsoft Docs
ChristianJBergstrom, I was able to set up a conditional access policy that only prompts a user for MFA if their risk is high when the user logs in, but I was not able to trigger an Authenticator prompt mid-session or if the user is not logged in at all. I believe I will need to pursue other options for triggering prompts based on actions other than logins given the limited number of actions conditional access policies support. Thanks for your help.
- Not sure what you're after here, but there's massive risk calculations going on offline and real-time.
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection
Just a brief heads-up how it works https://blog.onevinn.com/mcas-and-aad-identity-protection-threat-detection-and-automatic-response
