SOLVED
Home

Azure AD Windows Profile is Bypassing MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-269756%22%20slang%3D%22en-US%22%3EAzure%20AD%20Windows%20Profile%20is%20Bypassing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-269756%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20had%20MFA%20configured%20for%20a%20couple%20of%20years%20now%2C%20and%20are%20just%20starting%20to%20configure%20devices%20so%20they%20log%20into%20an%20Azure%20AD%20profile%20on%20a%20device%20with%20Intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20this%20configuration%20more%20or%20less%20out%20of%20the%20box%2C%20after%20logging%20into%20Windows%2C%26nbsp%3B%20the%20user%20is%20automatically%20logged%20into%20Office.com%20in%20Edge%20and%20Office%20products%20(except%20Outlook).%20In%20effect%2C%20it's%20bypassing%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20configure%20Windows%20so%20it%20requires%20people%20to%20authenticate%20with%20the%20app%20or%20text%20when%20logging%20into%20Windows%2C%20or%26nbsp%3Botherwise%20is%20it%20possible%20to%20remove%20the%20SSO%20experience%20from%20Edge%3F%20We%20cannot%20allow%20users%20to%20get%20to%20certain%20SharePoint%20sites%20without%202%20factors%20from%20a%20new%20windows%20session%20if%20we%20want%20to%20stay%20in%20compliance%20with%20our%20client's%20security%20requirements.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-269756%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270093%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Windows%20Profile%20is%20Bypassing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270093%22%20slang%3D%22en-US%22%3EAnd%20this%20is%20why%20I%20love%20hanging%20out%20and%20participating%20so%20much%20on%20this%20site%20%3Aface_with_tears_of_joy%3Athanks%20Vasil%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270091%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Windows%20Profile%20is%20Bypassing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270091%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20%3ApWell%2C%20Jairo%20knows%2C%20and%20has%20documented%20it%20pretty%20well%20on%20his%20blog%3A%20%3CA%20href%3D%22https%3A%2F%2Fjairocadena.com%2F2016%2F11%2F08%2Fhow-sso-works-in-windows-10-devices%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fjairocadena.com%2F2016%2F11%2F08%2Fhow-sso-works-in-windows-10-devices%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMake%20sure%20to%20review%20all%20the%20other%20articles%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270018%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Windows%20Profile%20is%20Bypassing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270018%22%20slang%3D%22en-US%22%3EI%20don't%20know%20how%20%22technically%22%20it%20works%2C%20I%20just%20know%20that's%20expected%20behavior%20as%20it%20stores%20something%20locally%20I%20think%20via%20TPM%20when%20joining%20and%20using%20MFA%20to%20join%20the%20machine%2C%20which%20keeps%20you%20from%20having%20to%20do%20MFA%20for%20everything.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-270016%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Windows%20Profile%20is%20Bypassing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-270016%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20makes%20sense%2C%20as%20long%20as%20I%20can%20document%20it%20and%20defend%20it%20we%20should%20be%20good%2C%20so%20thanks%20for%20explaining.%20I%20disable%20Windows%20Hello%20to%20ensure%20the%20password%20complexity%20and%20password%20change%20requirements%20are%20met%2C%20but%20I%20assume%20BitLocker%20w%2F%20TPM%20has%20the%20same%20effect%20as%20making%20it%20the%20'something%20you%20have'%2C%20or%20is%20there%20something%20fundamentally%20different%20about%20Hello%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-269990%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Windows%20Profile%20is%20Bypassing%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-269990%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20not%20bypassing%20MFA%2C%20when%20you%20join%20the%20machine%20to%20Azure%20AD%20it%20requires%20MFA%20to%20join%20the%20machine%2C%20which%20can%20use%20windows%20hello%20to%20use%20the%20TPM%20chip%2C%20turning%20your%20device%20into%20something%20you%20have%20and%20your%20Password%20%2F%20PIN(Hello)%20as%20part%20of%20the%20MFA%20so%20you%20no%20longer%20have%20to%20do%20MFA%20to%20access%20your%20office%20resources%20from%20the%20device%20itself.%20The%20idea%20is%20anyone%20accessing%20your%20o365%20account%20on%20anything%20other%20than%20that%20device%20or%20another%20joined%20device%20you%20setup%2C%20will%20still%20need%20to%20do%20MFA%20to%20access%20your%20resources.%20If%20your%20machine%20gets%20stolen%20lost%2C%20they%20must%20crack%20the%20password%2C%20but%20the%20machine%20can%20be%20disabled%2C%20which%20will%20force%20MFA%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Andrew Kovacs
New Contributor

We've had MFA configured for a couple of years now, and are just starting to configure devices so they log into an Azure AD profile on a device with Intune.

 

With this configuration more or less out of the box, after logging into Windows,  the user is automatically logged into Office.com in Edge and Office products (except Outlook). In effect, it's bypassing MFA.

 

Is it possible to configure Windows so it requires people to authenticate with the app or text when logging into Windows, or otherwise is it possible to remove the SSO experience from Edge? We cannot allow users to get to certain SharePoint sites without 2 factors from a new windows session if we want to stay in compliance with our client's security requirements.

5 Replies
Solution

It's not bypassing MFA, when you join the machine to Azure AD it requires MFA to join the machine, which can use windows hello to use the TPM chip, turning your device into something you have and your Password / PIN(Hello) as part of the MFA so you no longer have to do MFA to access your office resources from the device itself. The idea is anyone accessing your o365 account on anything other than that device or another joined device you setup, will still need to do MFA to access your resources. If your machine gets stolen lost, they must crack the password, but the machine can be disabled, which will force MFA again.

That makes sense, as long as I can document it and defend it we should be good, so thanks for explaining. I disable Windows Hello to ensure the password complexity and password change requirements are met, but I assume BitLocker w/ TPM has the same effect as making it the 'something you have', or is there something fundamentally different about Hello?

I don't know how "technically" it works, I just know that's expected behavior as it stores something locally I think via TPM when joining and using MFA to join the machine, which keeps you from having to do MFA for everything.

I know :p Well, Jairo knows, and has documented it pretty well on his blog: https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/

 

Make sure to review all the other articles as well.

And this is why I love hanging out and participating so much on this site :face_with_tears_of_joy: thanks Vasil
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies