Home

How are cached credentials handled with PTA and 3SO and MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-186015%22%20slang%3D%22en-US%22%3EHow%20are%20cached%20credentials%20handled%20with%20PTA%20and%203SO%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186015%22%20slang%3D%22en-US%22%3E%3CP%3ECurious%20how%20Azure%20AD%20Connect%20with%20PTA%2F3SO%20and%20MFA%20are%20handled%20from%20a%20remote%20employee%20without%20having%20logged%20into%20the%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20users%20are%20remote%20for%20more%20than%2090%20days%20and%20do%20a%20password%20reset%20and%20have%20cached%20credentials%2C%20how%20does%20Office%20365%20PTA%20and%20seamless%20single%20sign%20on%20handle%20those%20users%3F%20Does%20logging%20into%20a%20Microsoft%20service%20like%20Office%20365%20sync%20those%20creds%20to%20be%20active%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20a%20second%20question%20along%20the%20same%20lines.%20If%20we%20hybrid%20azure%20ad%20join%20our%20PC's%20and%20the%20PC's%20have%20not%20checked%20in%20with%20AD%2C%20how%20do%20they%20confirm%20the%20join%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-186015%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E3SO%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20Join%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECached%20Credentials%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%20Azure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPTA%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERemote%20Employee%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-186070%22%20slang%3D%22en-US%22%3ERe%3A%20How%20are%20cached%20credentials%20handled%20with%20PTA%20and%203SO%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186070%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20SSO%20does%20not%20relate%20to%20%22remote%22%20users.%20It%20basically%20sends%20a%20Kerberos%20ticket%20to%20AAD%2C%20thus%20it's%20only%20available%20for%20domain%20joined%20devices.%20From%20the%20documentation%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-troubleshoot-sso%23troubleshooting-checklist%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-troubleshoot-sso%23troubleshooting-checklist%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnsure%20that%20the%20corporate%20device%20is%20joined%20to%20the%20Active%20Directory%20domain.%3C%2FLI%3E%0A%3CLI%3EEnsure%20that%20the%20user%20is%20logged%20on%20to%20the%20device%20through%20an%20Active%20Directory%20domain%20account.%3C%2FLI%3E%0A%3CLI%3EEnsure%20that%20the%20user's%20account%20is%20from%20an%20Active%20Directory%20forest%20where%20Seamless%20SSO%20has%20been%20set%20up.%3C%2FLI%3E%0A%3CLI%3EEnsure%20that%20the%20device%20is%20connected%20to%20the%20corporate%20network.%3C%2FLI%3E%0A%3CLI%3EEnsure%20that%20the%20device's%20time%20is%20synchronized%20with%20the%20time%20in%20both%20Active%20Directory%20and%20the%20domain%20controllers%2C%20and%20that%20they%20are%20within%20five%20minutes%20of%20each%20other.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ESo%20in%20the%20case%20of%20%22remote%22%20users%2C%20SSO%20will%20always%20fail%20and%20PTA%20will%20trigger.%20As%20long%20as%20they%20are%20able%20to%20correctly%20authenticate%20and%20get%20a%20token%2C%20they%20should%20not%20see%20another%20prompt%20for%20the%20next%2090%20days%20or%20so%2C%20which%20is%20the%20default%20validity%20period%20for%20refresh%20tokens.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Tom Gould
Contributor

Curious how Azure AD Connect with PTA/3SO and MFA are handled from a remote employee without having logged into the network.

 

If users are remote for more than 90 days and do a password reset and have cached credentials, how does Office 365 PTA and seamless single sign on handle those users? Does logging into a Microsoft service like Office 365 sync those creds to be active?

 

I also have a second question along the same lines. If we hybrid azure ad join our PC's and the PC's have not checked in with AD, how do they confirm the join? 

1 Reply

Azure AD SSO does not relate to "remote" users. It basically sends a Kerberos ticket to AAD, thus it's only available for domain joined devices. From the documentation: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-troubles...

 

  • Ensure that the corporate device is joined to the Active Directory domain.
  • Ensure that the user is logged on to the device through an Active Directory domain account.
  • Ensure that the user's account is from an Active Directory forest where Seamless SSO has been set up.
  • Ensure that the device is connected to the corporate network.
  • Ensure that the device's time is synchronized with the time in both Active Directory and the domain controllers, and that they are within five minutes of each other.

So in the case of "remote" users, SSO will always fail and PTA will trigger. As long as they are able to correctly authenticate and get a token, they should not see another prompt for the next 90 days or so, which is the default validity period for refresh tokens.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies