Forum Discussion

Himanshu Singh's avatar
Himanshu Singh
Iron Contributor
Dec 20, 2021

Password Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT

My Scenario:-

 

  1. We are not synchronising password hash with Azure AD.
  2. We have federated authentication setup.

 

My Queries:-

 

  1. How does Azure AD senses/identifies when an user changes his/her password?

 

  1. Issuance of Azure AD tokens AT/RT/PRT are these some how related to om-premises Password Change task ? how please share all details

 

  1. Also it is seen when an on-premises user is changing password and device is Hybrid during Ctrl+Alt+Del sign in
    1. This is when machine is Authenticated using the certificates it is given by Azure AD for device authentication
    2. However then the user using this machine is at times is not prompted for MFA even when CA is enforcing MFA on every logon ?
    3. Is this known already ? what is/are the reasons ?
  • Hi,

    Azure AD does not care if a password changed (unless you are using Identity Protection), the authentication is federated to your own IdP (AD FS or whatever other service).

    regarding MFA, can you please elaborate? please note that there a lifespans for authentication and refresh tokens, and unless you configure session control in CA, some scenarios might not require MFA each time.

    regards,

Resources