SOLVED
Home

Azure app to always ask for MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-386762%22%20slang%3D%22en-US%22%3EAzure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386762%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20Azure%20APP%20that%20we%20want%20to%20always%20ask%20for%20MFA%20code.%20This%20is%20a%20sensitive%20app%20that%20requires%20connecting%20from%20outside%20our%20LAN.%3C%2FP%3E%3CP%3ERight%20now%2C%20our%20service%20settings%20is%20set%20to%20allow%20users%20to%20remember%20MFA%20on%20devices%20they%20trust%20for%2030%20days.%3C%2FP%3E%3CP%3EI%20need%20to%20bypass%20this%20and%20force%20the%20users%20to%20always%20enter%20credentials%20every%20time%20they%20login%20to%20the%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20do%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20Rahamim.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-386762%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389183%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389183%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5953%22%20target%3D%22_blank%22%3E%40Nestori%20Syynimaa%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389175%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389175%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255442%22%20target%3D%22_blank%22%3E%40RahamimL%3C%2FA%3E%26nbsp%3Byou%20can%20set%20MFA%20policies%20per%20app%20if%20you%20have%20Azure%20AD%20P1%2FP2%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Econditional%20access%3C%2FA%3E.%20However%2C%20AFAIK%20it%20can%20not%20be%20used%20to%20overrule%20the%20%22remember%20MFA%20for%2030%20days%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-388443%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388443%22%20slang%3D%22en-US%22%3EThis%20isn't%20about%20breaking%20SSO%2C%20I%20need%20a%20way%20to%20give%20the%20user%20a%20prompt%20for%20credentials%20because%20the%20azure%20app%20is%20sensitive%20and%20my%20users%20don't%20always%20come%20from%20a%20trusted%20computer.%3CBR%20%2F%3EThink%20about%20it%20like%20always%20using%20Skype%20for%20business%20plug-in%20when%20adding%20to%20the%20URL%20%22%3Fsl%3D1%22.%3CBR%20%2F%3EThanks%2C%20Rahamim.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-387436%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-387436%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3Ein%20genera%20prompts%20are%20bad%20for%20security%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fduo.com%2Fblog%2Fusability-is-security-the-future%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fduo.com%2Fblog%2Fusability-is-security-the-future%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fduo.com%2Fblog%2Fpart-1-usability-is-security%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fduo.com%2Fblog%2Fpart-1-usability-is-security%3C%2FA%3E.%20We%20will%20not%20let%20you%20compromise%20your%20security%20posture%20by%20breaking%20fundamentals%20of%20SSO%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-386976%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386976%22%20slang%3D%22en-US%22%3E%3CP%3EAfaik%20you%20cannot.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F155736%22%20target%3D%22_blank%22%3E%40Daniel%20Stefaniak%3C%2FA%3E%20was%20just%20discussing%20a%20similar%20scenario%20on%20another%20board%2C%20perhaps%20he%20can%20tune%20in%20here%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
RahamimL
Contributor

Hi all,

 

We have an Azure APP that we want to always ask for MFA code. This is a sensitive app that requires connecting from outside our LAN.

Right now, our service settings is set to allow users to remember MFA on devices they trust for 30 days.

I need to bypass this and force the users to always enter credentials every time they login to the app.

 

Is there a way to do that?

 

Thanks, Rahamim.

5 Replies

Afaik you cannot. @Daniel Stefaniak was just discussing a similar scenario on another board, perhaps he can tune in here as well.

@Vasil Michev 
in genera prompts are bad for security:

https://duo.com/blog/usability-is-security-the-future

https://duo.com/blog/part-1-usability-is-security. We will not let you compromise your security posture by breaking fundamentals of SSO

This isn't about breaking SSO, I need a way to give the user a prompt for credentials because the azure app is sensitive and my users don't always come from a trusted computer.
Think about it like always using Skype for business plug-in when adding to the URL "?sl=1".
Thanks, Rahamim.
Solution

@RahamimL you can set MFA policies per app if you have Azure AD P1/P2 using conditional access. However, AFAIK it can not be used to overrule the "remember MFA for 30 days".

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies