Forum Discussion
Reduction of Password Prompts with Intune Enrolled Phone
My company is transitioning from our current MDM to Intune, while at the same time moving our mailboxes from On-Prem to Exchange Online. Our current MDM requires no passwords from our users after initial enrollment of their mobile devices (both BYOD and company owned) thanks to Kerberos based authentication, whose tokens persists even after passwords are changed or expire and then are changed. In our testing using Intune enrollment and MFA using Authenticator, we found that users are still prompted to enter their password within Outlook when passwords change for an EXO mailbox and Entra ID / Azure account.
This is even true when enabling Passwordless Authentication, which is branded as eliminating the need for passwords (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless) yet still, users are prompted when passwords change and they are attempting to access company mail in Outlook for iOS on an Intune enrolled device for example.
This not only can present itself as a pain point for our users who are used to not having to enter their password on their mobile devices or on their desktops using Windows Hello for example - it also after years of backwards thinking in the security industry pushing password complexity and frequent passwords changes is now considered a gaping security risk where users will circumvent or resist draconian password policies with incredibly simple passwords. Sadly, Passwordless Authentication on a mobile device, even with the added bonus of Face ID / biometrics, still doesn't eliminate having to retype a password when a password changes.
Per everything I've read and also discussions with some within Microsoft, it appears there is no way around this. Certificate Based Authentication (https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication) with a PKI issuing certs to users that are deployed to devices via Intune may provide some relief, but we can't know for sure how this plays out in password change scenarios and don't have the luxury of testing this without a considerable amount of work even in a test / dev capacity.
For those out there using CBA, does CBA indeed make it so that password changes won't require users to retype their passwords in to re-authenticate and is the cert fully trusted in those instances? My concern is that it could be a similar scenario to Passwordless Authentication with Authenticator, where the cert is used commonly as a cred but it doesn't outtrump the requirement to occasionally enter the password when password changes occur causing tokens to expire. But if CBA does indeed eliminate the requirement for entering passwords, it's something we will seriously consider.
- SebastiaanSmitsSteel Contributor
just for some context your setup is following this general description: https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/journey-step-3
Why are there password changes if the password are not used anymore, is this required by policy for example? See the following text from the link provided above:
If your organization doesn't have password rotation requirements, it's recommended to disable password age.
If your organization has a password rotation policy, consider implementing automation to rotate the user's password regularly. This approach ensures that the user's password is always randomized and prevents the user from knowing the password.
So you have the second option set?, can you give us some inside on how you rotate the passwords behind the scene?
------
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.