Home

Random MFA prompts from Universal Store Native Client

%3CLINGO-SUB%20id%3D%22lingo-sub-901333%22%20slang%3D%22en-US%22%3ERandom%20MFA%20prompts%20from%20Universal%20Store%20Native%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-901333%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20morning%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFacing%20a%20rather%20bothersome%20issue%20at%20the%20moment.%20Our%20users%20are%20randomly%20being%20prompted%20for%20MFA%20authentication%20when%20they%20are%20not%20actively%20logging%20in%20somewhere.%3C%2FP%3E%3CP%3EAt%20first%20they%20just%20figured%20their%20account%20was%20being%20attacked%20but%20when%20looking%20at%20the%20sign-in%20logs%2C%20I%20see%20all%20the%20attempts%20match%20an%20application%20'Universal%20Store%20Native%20Client'%20which%20refers%20to%20the%20Windows%20Store%20for%20Business.%3C%2FP%3E%3CP%3ESo%20in%20essence%20it's%20not%20an%20attack%20so%20that's%20good%20but%20the%20employee%20never%20sees%20anything%20on%20their%20PC%20about%20this%20login%20attempt.%20They%20just%20get%20the%20app%20notification%20or%20the%20call%20from%20MS%20and%20luckily%20they%20decline.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20does%20not%20seem%20to%20be%20a%20negative%20impact%20on%20the%20PC%20side%20but%20I'd%20like%20to%20find%20a%20way%20to%20avoid%20this%20prompt%20or%20make%20it%20so%20the%20employee%20knows%20where%20it's%20coming%20from.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20looked%20around%20in%20the%20cloud%20apps%20section%20of%20conditional%20access%20policies%20but%20cannot%20find%20anything%20in%20the%20app%20list%20related%20to%20the%20Store%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20have%20ideas%20on%20how%20to%20find%20a%20workable%20solution%20for%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3ESteve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-901333%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-904633%22%20slang%3D%22en-US%22%3ERe%3A%20Random%20MFA%20prompts%20from%20Universal%20Store%20Native%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-904633%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F31161%22%20target%3D%22_blank%22%3E%40Steve%20Hernou%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20confirm%20that%20we%20have%20the%20same%20problem.%20Did%20a%20test%20yesterday%20where%20users%20got%20to%20test%20SMS%20and%20or%20APP%20authentication%20but%20it%20didn't%20matter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20not%20affect%20use%20but%20is%20an%20annoyance%20for%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-904721%22%20slang%3D%22en-US%22%3ERe%3A%20Random%20MFA%20prompts%20from%20Universal%20Store%20Native%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-904721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F423428%22%20target%3D%22_blank%22%3E%40kentknuttes%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYesterday%20I%20dug%20a%20but%20deeper%20in%20the%20sign-in%20logs%20and%20apparently%2C%20only%20our%20hybrid%20Azure%20AD%20joined%20devices%20are%20impacted%20by%20this.%3C%2FP%3E%3CP%3EThe%20devices%20which%20are%20only%20Azure%20AD%20registered%20do%20not%20get%20prompted%20and%20have%20'Success'%20for%20the%20Universal%20Store%20login%20with%20comment%20'MFA%20requirement%20skipped%20due%20to%20registered%20device'%3C%2FP%3E%3CP%3EYou'd%20think%20that%20the%20hybrid%20joined%20devices%20would%20also%20do%20this%20since%20that's%20a%20step%20up%20from%20being%20just%20registered.%3C%2FP%3E%3CP%3EI'll%20see%20if%20I%20can%20get%20MS%20support%20on%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911018%22%20slang%3D%22en-US%22%3ERe%3A%20Random%20MFA%20prompts%20from%20Universal%20Store%20Native%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911018%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EI'm%20dealing%20with%20the%20same%20issue%20and%20I've%20been%20trying%20to%20explain%20Microsoft%20Azure%20support%20about%20this%20situation%20and%20they%20aren't%20that%20much%20of%20a%20help.%3CBR%20%2F%3EAll%20they%20know%20is%20to%20say%20that%20the%20user%20need%20to%20change%20his%20password%20although%20I'm%20showing%20them%20that%20there%20isn't%20any%20breach%20and%20the%20attempt%20is%20being%20made%20from%20inside%20the%20organization%20and%20the%20cause%20for%20the%20MFA%20alert%20is%20due%20to%20the%20%22Universal%20Store%20Native%20Client%22%20or%20%22Office%20UWP%20PWA%22%20apps.%3CBR%20%2F%3EAt%20one%20time%20I%20asked%20the%20technician%20what%20is%20even%20the%20Office%20UWP%20PWA%20app%20and%20he%20said%20to%20me%20%22How%20should%20I%20know%3F%20you%20tell%20me%20what%20it%20is%22%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fxd_40x40.gif%22%20alt%3D%22%3Axd%3A%22%20title%3D%22%3Axd%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-921858%22%20slang%3D%22en-US%22%3ERe%3A%20Random%20MFA%20prompts%20from%20Universal%20Store%20Native%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921858%22%20slang%3D%22en-US%22%3E%3CP%3EFollowing%20along%20here.%26nbsp%3B%20Same%20issue%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-926083%22%20slang%3D%22en-US%22%3ERe%3A%20Random%20MFA%20prompts%20from%20Universal%20Store%20Native%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-926083%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425157%22%20target%3D%22_blank%22%3E%40itai248%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F430045%22%20target%3D%22_blank%22%3E%40nothingofnote%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell%20I%20got%20an%20MS%20support%20tech%20on%20the%20phone%20and%20I%20got%20a%20little%20bit%20more%20information.%3C%2FP%3E%3CP%3E******%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3EAs%20you%20have%20not%20receive%20the%20Primary%20authentication%20prompt%20because%20the%20device%20is%20Hybrid%20Azure%20AD%20joined.%26nbsp%3B%20The%20Application%20uses%20WAM%20we%20see%20the%20application%20%2C%20Universal%20Store%20Native%20Client%20has%20a%20token%20to%20access%20Windows%20store%20for%20business.%20User%20is%20MFA%20enabled.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3EAs%20you%20have%20confirmed%20that%20this%20usually%20happens%20after%20a%20boot%20up%20process%20of%20the%20host%20machine%2C%20the%20MFA%20prompt%20is%20because%20of%20the%20below%20%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3EIf%20there%20is%20no%20MFA%20claim%20on%20the%20machine%20then%20Primary%20refresh%20token%20will%20use%20to%20authenticate%20user%20and%20MFA%20will%20be%20challenge%20to%20get%20MFA%20claim%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3EThe%20application%20is%20running%20at%20the%20background(you%20can%20see%20under%20the%20Task%20Manager)%20and%20when%20a%20reboot%20happens%2C%20the%20application%20automatically%20tries%20to%20authenticate%20without%20the%20user%20interaction.%20The%20user%20is%20not%20presented%20by%20the%20Primary%20authentication%20page%20as%20the%20device%20is%20Hybrid%20Azure%20AD%20joined%20and%20it%20picks%20up%20the%20Windows%20credentials.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3E-%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EAs%20the%20MFA%20is%20enabled%20for%20the%20user%20account%2C%20the%20user%20is%20presented%20with%20a%20MFA%20challenge.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3E-%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ETo%20avoid%20the%20MFA%20prompts%2C%20try%20to%20disable%20the%20application%20from%20the%20Task%20Manager%20and%20reboot%20the%20machine.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3ETo%20confirm%20you%20again%20this%20is%20an%20expected%20behavior.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3E*******%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3E%3CSPAN%3EI%20can%20sort%20of%20follow%20where%20they%20are%20going%20with%20their%20assessment%20were%20it%20not%20that%20we%20use%20CA%20to%20define%20when%20MFA%20should%20kick%20in%20and%20we%20have%20a%20few%20trusted%20IPs%20from%20which%20no%20MFA%20is%20required%20and%20it%20even%20happens%20when%20connected%20to%20those%20networks.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22x_MsoNormal%22%3EThey%20say%20'try%20to%20disable%20the%20app%20from%20Task%20Manager%20and%20reboot'%20but%20anyone%20know%20the%20process%20for%20the%20Microsoft%20Store%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Steve Hernou
Contributor

Good morning

 

Facing a rather bothersome issue at the moment. Our users are randomly being prompted for MFA authentication when they are not actively logging in somewhere.

At first they just figured their account was being attacked but when looking at the sign-in logs, I see all the attempts match an application 'Universal Store Native Client' which refers to the Windows Store for Business.

So in essence it's not an attack so that's good but the employee never sees anything on their PC about this login attempt. They just get the app notification or the call from MS and luckily they decline.

 

There does not seem to be a negative impact on the PC side but I'd like to find a way to avoid this prompt or make it so the employee knows where it's coming from.

 

I looked around in the cloud apps section of conditional access policies but cannot find anything in the app list related to the Store app.

 

Anyone have ideas on how to find a workable solution for this?

 

Cheers

Steve

5 Replies

@Steve Hernou 

 

Hi!

 

Can confirm that we have the same problem. Did a test yesterday where users got to test SMS and or APP authentication but it didn't matter.

 

Does not affect use but is an annoyance for users.

@kentknuttes 

 

Yesterday I dug a but deeper in the sign-in logs and apparently, only our hybrid Azure AD joined devices are impacted by this.

The devices which are only Azure AD registered do not get prompted and have 'Success' for the Universal Store login with comment 'MFA requirement skipped due to registered device'

You'd think that the hybrid joined devices would also do this since that's a step up from being just registered.

I'll see if I can get MS support on this.

Hi,
I'm dealing with the same issue and I've been trying to explain Microsoft Azure support about this situation and they aren't that much of a help.
All they know is to say that the user need to change his password although I'm showing them that there isn't any breach and the attempt is being made from inside the organization and the cause for the MFA alert is due to the "Universal Store Native Client" or "Office UWP PWA" apps.
At one time I asked the technician what is even the Office UWP PWA app and he said to me "How should I know? you tell me what it is" :xd:

Following along here.  Same issue here.

@itai248 @nothingofnote 

 

Well I got an MS support tech on the phone and I got a little bit more information.

******

 

As you have not receive the Primary authentication prompt because the device is Hybrid Azure AD joined.  The Application uses WAM we see the application , Universal Store Native Client has a token to access Windows store for business. User is MFA enabled.

 

As you have confirmed that this usually happens after a boot up process of the host machine, the MFA prompt is because of the below :

 

If there is no MFA claim on the machine then Primary refresh token will use to authenticate user and MFA will be challenge to get MFA claim

 

The application is running at the background(you can see under the Task Manager) and when a reboot happens, the application automatically tries to authenticate without the user interaction. The user is not presented by the Primary authentication page as the device is Hybrid Azure AD joined and it picks up the Windows credentials.

-          As the MFA is enabled for the user account, the user is presented with a MFA challenge.

-         To avoid the MFA prompts, try to disable the application from the Task Manager and reboot the machine.

To confirm you again this is an expected behavior.

*******

 

I can sort of follow where they are going with their assessment were it not that we use CA to define when MFA should kick in and we have a few trusted IPs from which no MFA is required and it even happens when connected to those networks.

They say 'try to disable the app from Task Manager and reboot' but anyone know the process for the Microsoft Store? :)

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies