SOLVED
Home

Azure app to always ask for MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-386762%22%20slang%3D%22en-US%22%3EAzure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386762%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20Azure%20APP%20that%20we%20want%20to%20always%20ask%20for%20MFA%20code.%20This%20is%20a%20sensitive%20app%20that%20requires%20connecting%20from%20outside%20our%20LAN.%3C%2FP%3E%3CP%3ERight%20now%2C%20our%20service%20settings%20is%20set%20to%20allow%20users%20to%20remember%20MFA%20on%20devices%20they%20trust%20for%2030%20days.%3C%2FP%3E%3CP%3EI%20need%20to%20bypass%20this%20and%20force%20the%20users%20to%20always%20enter%20credentials%20every%20time%20they%20login%20to%20the%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20do%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20Rahamim.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-386762%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389183%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389183%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5953%22%20target%3D%22_blank%22%3E%40Nestori%20Syynimaa%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389175%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389175%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255442%22%20target%3D%22_blank%22%3E%40RahamimL%3C%2FA%3E%26nbsp%3Byou%20can%20set%20MFA%20policies%20per%20app%20if%20you%20have%20Azure%20AD%20P1%2FP2%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Econditional%20access%3C%2FA%3E.%20However%2C%20AFAIK%20it%20can%20not%20be%20used%20to%20overrule%20the%20%22remember%20MFA%20for%2030%20days%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-388443%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388443%22%20slang%3D%22en-US%22%3EThis%20isn't%20about%20breaking%20SSO%2C%20I%20need%20a%20way%20to%20give%20the%20user%20a%20prompt%20for%20credentials%20because%20the%20azure%20app%20is%20sensitive%20and%20my%20users%20don't%20always%20come%20from%20a%20trusted%20computer.%3CBR%20%2F%3EThink%20about%20it%20like%20always%20using%20Skype%20for%20business%20plug-in%20when%20adding%20to%20the%20URL%20%22%3Fsl%3D1%22.%3CBR%20%2F%3EThanks%2C%20Rahamim.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-387436%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-387436%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3Ein%20genera%20prompts%20are%20bad%20for%20security%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fduo.com%2Fblog%2Fusability-is-security-the-future%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fduo.com%2Fblog%2Fusability-is-security-the-future%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fduo.com%2Fblog%2Fpart-1-usability-is-security%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fduo.com%2Fblog%2Fpart-1-usability-is-security%3C%2FA%3E.%20We%20will%20not%20let%20you%20compromise%20your%20security%20posture%20by%20breaking%20fundamentals%20of%20SSO%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-386976%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20app%20to%20always%20ask%20for%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386976%22%20slang%3D%22en-US%22%3E%3CP%3EAfaik%20you%20cannot.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F155736%22%20target%3D%22_blank%22%3E%40Daniel%20Stefaniak%3C%2FA%3E%20was%20just%20discussing%20a%20similar%20scenario%20on%20another%20board%2C%20perhaps%20he%20can%20tune%20in%20here%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E
RahamimL
Contributor

Hi all,

 

We have an Azure APP that we want to always ask for MFA code. This is a sensitive app that requires connecting from outside our LAN.

Right now, our service settings is set to allow users to remember MFA on devices they trust for 30 days.

I need to bypass this and force the users to always enter credentials every time they login to the app.

 

Is there a way to do that?

 

Thanks, Rahamim.

5 Replies

Afaik you cannot. @Daniel Stefaniak was just discussing a similar scenario on another board, perhaps he can tune in here as well.

@Vasil Michev 
in genera prompts are bad for security:

https://duo.com/blog/usability-is-security-the-future

https://duo.com/blog/part-1-usability-is-security. We will not let you compromise your security posture by breaking fundamentals of SSO

Highlighted
This isn't about breaking SSO, I need a way to give the user a prompt for credentials because the azure app is sensitive and my users don't always come from a trusted computer.
Think about it like always using Skype for business plug-in when adding to the URL "?sl=1".
Thanks, Rahamim.
Solution

@RahamimL you can set MFA policies per app if you have Azure AD P1/P2 using conditional access. However, AFAIK it can not be used to overrule the "remember MFA for 30 days".

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies