Forum Discussion
Solved
Require MFA on Azure AD joined devices
I have Azure AD joined devices that are managed with Intune. We have setup conditional access with conditions; - App=SharePoint Online - Control=Require MFA What we observe is that users on Azure...
fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials. This fulfils the requirement for MFA, which won't be prompted separately.
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
This is also explained here:
"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."
There is some further discussion on this here. I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.
https://jairocadena.com/2016/03/09/azure-ad-and-microsoft-passport-for-work-in-windows-10/ is a good explanation on this. Why do you need to MFA for access to sharepoint? Is it compliance reasons? The reason being you want password and MFA prompts to be minimal for users to prevent acceptance fatigue.