Forum Discussion
Password Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT
My Scenario:- We are not synchronising password hash with Azure AD. We have federated authentication setup. My Queries:- How does Azure AD senses/identifies when an user changes his/h...
Hi,
Azure AD does not care if a password changed (unless you are using Identity Protection), the authentication is federated to your own IdP (AD FS or whatever other service).
regarding MFA, can you please elaborate? please note that there a lifespans for authentication and refresh tokens, and unless you configure session control in CA, some scenarios might not require MFA each time.
regards,
Azure AD does not care if a password changed (unless you are using Identity Protection), the authentication is federated to your own IdP (AD FS or whatever other service).
regarding MFA, can you please elaborate? please note that there a lifespans for authentication and refresh tokens, and unless you configure session control in CA, some scenarios might not require MFA each time.
regards,
- I explain again, either behavior is not consistent or its not understood clearly,
1. When machine is hybrid and it is restarted or user logs Off and is logging on, This is After Changing the Password, In my case passwords are changed thru a portal which is then updated-pushed in AD
a. The “Windows Sign” operation will get a PRT Token which will include the MFA token and then user will not be prompted for MFA ANYMORE! when accessing any service Mail, Teams, PowerBI etc...
b. This is based on this reading https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-invalidated
c. And PRT includes MFA Claim here https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim
2. However when I test the same by clicking the “REVOKE ALL SESSSIONS” or Sign Out User from all application and then when the user signs in again he/she is being prompted for MFA, Why ?
a. It is true for both Outlook Desktop Client for Teams Desktop Client
b. or any BROWSER session too correct ?
c. But OneDrive for Business Client never prompts for MFA ?
d. Browser based sessions use WAM AND Desktop Clients use CloudAP Correct ?
