cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Home

Require MFA for AAD Hybrid joined devices

%3CLINGO-SUB%20id%3D%22lingo-sub-737049%22%20slang%3D%22en-US%22%3ERequire%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737049%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20planning%20a%20rollout%20of%202000%20new%20Windows%2010%20devices%20to%20the%20entire%20organization%20on%20a%20new%20domain%20as%20part%20of%20a%20merger%20and%20accompanying%20org%20name%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20onprem%20environment%20with%20DCs%20that%20aad%20sync%20and%20federate%20via%20ADFS%20to%20Office%20365%20and%20we%20have%20enabled%20MFA%20for%20access%20to%20Office%20365%20outside%20the%20company%E2%80%99s%20network%20using%20conditional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20we%20are%20evaluating%20hybrid%20joining%20devices%20to%20AAD%20as%20well%2C%20to%20achieve%20sso%20from%20within%20the%20company%E2%80%99s%20network%2C%20but%20we%20want%20to%20make%20sure%20that%20MFA%20is%20still%20required%20from%20the%20outside%2C%20even%20on%20managed%20devices%20if%20we%20choose%20to%20hybrid%20join%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHaving%20read%20through%20a%20lot%20of%20documentation%20already%2C%20it%20is%20not%20clear%20to%20me%20whether%20this%20can%20be%20achieved%20or%20whether%20MFA%20will%20be%20bypassed%20for%20said%20managed%20devices%20when%20outside%20the%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20concern%20is%20for%20potential%20situations%20where%20a%20bad%20actor%20gets%20their%20hands%20on%20an%20unlocked%20device%20and%20can%20open%20up%20a%20browser%20and%20directly%20access%20any%20Office%20365%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20shine%20a%20light%20on%20this%3F%20What%20do%20we%20need%20to%20do%2C%20if%20anything%3F%20Thanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-737049%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738047%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738047%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1897%22%20target%3D%22_blank%22%3E%40Allan%20With%20S%C3%B8rensen%3C%2FA%3EHi%26nbsp%3Bin%20order%20to%20address%20the%20issues%20you%20describe%20you%20need%20to%20identify%20your%20public%20IP's%20and%20add%20those%20in%20the%20%22Trusted%20locations%22%20tab.%20Then%20all%20other%20clients%20coming%20from%20an%20IP%20not%20in%20the%20list%20will%20be%20prompted%20for%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20CA%20will%20not%20block%20your%20account.%20So%20the%20credentials%20could%20still%20be%20leaked%2C%20although%20no%20access%20will%20be%20granted.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Funtrusted-networks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Funtrusted-networks%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20organization%20is%20using%20VPN%20such%20as%20Direct%20Access%20och%20Always-on-VPN%20you%C2%B4re%20in%20another%20kind%20of%20tight%20spot%20given%20that%20the%20IP%20will%20always%20originate%20from%20your%20external%20IP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2FViktor%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-738798%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738798%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20the%20device%20is%20already%20authenticated%20and%20has%20a%20valid%20PRT%2C%20it%20will%20bypass%20any%20MFA%20requirements%20(having%20a%20PRT%20is%20considered%20the%20same%20as%20doing%202FA).%20They%20will%20still%20be%20prompted%20to%20perform%20MFA%20upon%20the%20initial%20device%20join%2C%20or%20when%20the%20PRT%20has%20expired.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742210%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742210%22%20slang%3D%22en-US%22%3EHello%20Viktor%20-%20We%20have%20already%20added%20our%20own%20outgoing%20IP%20as%20a%20trusted%20network.%3CBR%20%2F%3EMy%20question%20is%20whether%20an%20AAD%20joined%20device%20will%20prompt%20for%20MFA%20when%20I%20open%20up%20a%20browser%20and%20attempt%20to%20access%20an%20Office%20365%20service.%20As%20far%20as%20I%20can%20understand%20from%20Vasils%20response%2C%20they%20won't%20be%20challenged%20for%20MFA%2C%20if%20the%20device%20is%20AAD%20Joined%20and%20has%20a%20valid%20PRT.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742225%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742225%22%20slang%3D%22en-US%22%3EHello%20Vasil%2C%20thank%20you%20for%20the%20response%20and%20for%20pointing%20me%20in%20the%20right%20direction.%20Is%20what%20you%20are%20saying%2C%20the%20same%20as%20what%20they%20are%20describing%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fconcept-primary-refresh-token%23when-does-a-prt-get-an-mfa-claim%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fconcept-primary-refresh-token%23when-does-a-prt-get-an-mfa-claim%3C%2FA%3E%3CBR%20%2F%3E%3F%3CBR%20%2F%3EEssentially%2C%20that%20whenever%20a%20PRT%20requests%20a%20token%2C%20it%20does%20so%20by%20bypassing%20MFA%20or%20rather%20with%20the%20authority%20that%20MFA%20would%20grant%20it%3F%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20see%20any%20security%20concerns%20in%20this%20approach%20in%20terms%20of%20bad%20actors%20getting%20their%20hands%20on%20an%20unlocked%20device%3F%20And%20what%20would%20be%20possible%20remedies%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742940%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742940%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20that's%20pretty%20much%20it.%20Why%20do%20you%20think%20it's%20a%20security%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744722%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744722%22%20slang%3D%22en-US%22%3EBypassing%20MFA%20has%20our%20IT%20department%20concerned%20that%20(for%20instance)%3A%3CBR%20%2F%3E%3CBR%20%2F%3E1)%20Someone%20who%20gets%20access%20to%20an%20unlocked%20aad%20joined%20device%20can%20go%20directly%20to%20Office%20365%20(using%20a%20browser)%20without%20being%20challenged%20for%20MFA.%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20Malware%20will%20be%20able%20to%20directly%20attack%20and%20access%20Office%20365%20services%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20understand%20that%20if%20the%20user%20for%20instance%20has%20connected%20Outlook%20and%20OneDrive%20on%20their%20pc%20and%20sync'ed%20the%20content%2C%20that%20MFA%20is%20effectively%20already%20bypassed%2C%20but%20we%20want%20to%20understand%20whether%20the%20threat%20surface%20becomes%20larger%20by%20AAD%20joining%20devices%20or%20whether%20our%20worries%20are%20unwarranted%20%3A).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-745324%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20AAD%20Hybrid%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-745324%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20with%20AAD%20joined%20devices%2C%20the%20device%20itself%20is%20considered%20the%20second%20factor%2C%20so%20you%20must%20take%20all%20necessary%20actions%20to%20secure%20it.%20Simply%20locking%20the%20device%20is%20enough%2C%20the%20PTA%20cannot%20be%20accessed%20unless%20a%20%22gesture%22%20is%20performed%2C%20so%20any%20other%20users%20trying%20to%20login%20to%20the%20same%20device%20will%20not%20be%20able%20to%20automatically%20access%20O365%20resources%20belonging%20to%20the%20given%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Allan With Sørensen
Allan With Sørensen
Contributor

‎07-03-2019 12:42 PM

‎07-03-2019 12:42 PM

Require MFA for AAD Hybrid joined devices

We are planning a rollout of 2000 new Windows 10 devices to the entire organization on a new domain as part of a merger and accompanying org name change.

 

We have an onprem environment with DCs that aad sync and federate via ADFS to Office 365 and we have enabled MFA for access to Office 365 outside the company’s network using conditional access.

 

Currently we are evaluating hybrid joining devices to AAD as well, to achieve sso from within the company’s network, but we want to make sure that MFA is still required from the outside, even on managed devices if we choose to hybrid join them.

 

Having read through a lot of documentation already, it is not clear to me whether this can be achieved or whether MFA will be bypassed for said managed devices when outside the network.

 

Our concern is for potential situations where a bad actor gets their hands on an unlocked device and can open up a browser and directly access any Office 365 service.

 

Can anyone shine a light on this? What do we need to do, if anything? Thanks in advance.

584 Views
0 Likes
7 Replies
Reply
7 Replies
Highlighted
Viktor Hedberg

‎07-04-2019 04:36 AM

‎07-04-2019 04:36 AM

Re: Require MFA for AAD Hybrid joined devices

@Allan With SørensenHi in order to address the issues you describe you need to identify your public IP's and add those in the "Trusted locations" tab. Then all other clients coming from an IP not in the list will be prompted for MFA.

 

However, CA will not block your account. So the credentials could still be leaked, although no access will be granted.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks

 

If your organization is using VPN such as Direct Access och Always-on-VPN you´re in another kind of tight spot given that the IP will always originate from your external IP.

 

Hope this helps

 

/Viktor

 

0 Likes
Reply
Vasil Michev

‎07-04-2019 12:04 PM

‎07-04-2019 12:04 PM

Re: Require MFA for AAD Hybrid joined devices

If the device is already authenticated and has a valid PRT, it will bypass any MFA requirements (having a PRT is considered the same as doing 2FA). They will still be prompted to perform MFA upon the initial device join, or when the PRT has expired.

0 Likes
Reply
Allan With Sørensen

‎07-08-2019 03:50 AM

‎07-08-2019 03:50 AM

Re: Require MFA for AAD Hybrid joined devices

Hello Viktor - We have already added our own outgoing IP as a trusted network.
My question is whether an AAD joined device will prompt for MFA when I open up a browser and attempt to access an Office 365 service. As far as I can understand from Vasils response, they won't be challenged for MFA, if the device is AAD Joined and has a valid PRT.
0 Likes
Reply
Allan With Sørensen

‎07-08-2019 03:54 AM

‎07-08-2019 03:54 AM

Re: Require MFA for AAD Hybrid joined devices

Hello Vasil, thank you for the response and for pointing me in the right direction. Is what you are saying, the same as what they are describing here:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-d...
?
Essentially, that whenever a PRT requests a token, it does so by bypassing MFA or rather with the authority that MFA would grant it?

Do you see any security concerns in this approach in terms of bad actors getting their hands on an unlocked device? And what would be possible remedies?
0 Likes
Reply
Vasil Michev

‎07-08-2019 09:03 AM

‎07-08-2019 09:03 AM

Re: Require MFA for AAD Hybrid joined devices

Yup, that's pretty much it. Why do you think it's a security issue?

0 Likes
Reply
Allan With Sørensen

‎07-09-2019 05:33 AM

‎07-09-2019 05:33 AM

Re: Require MFA for AAD Hybrid joined devices

Bypassing MFA has our IT department concerned that (for instance):

1) Someone who gets access to an unlocked aad joined device can go directly to Office 365 (using a browser) without being challenged for MFA.

2) Malware will be able to directly attack and access Office 365 services


We understand that if the user for instance has connected Outlook and OneDrive on their pc and sync'ed the content, that MFA is effectively already bypassed, but we want to understand whether the threat surface becomes larger by AAD joining devices or whether our worries are unwarranted :).
0 Likes
Reply
Vasil Michev

‎07-09-2019 09:20 AM

‎07-09-2019 09:20 AM

Re: Require MFA for AAD Hybrid joined devices

Well with AAD joined devices, the device itself is considered the second factor, so you must take all necessary actions to secure it. Simply locking the device is enough, the PTA cannot be accessed unless a "gesture" is performed, so any other users trying to login to the same device will not be able to automatically access O365 resources belonging to the given user.

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
What is Canary ring in Windows insider program? and how do we get them?
 HotCakeX in Windows Insider Program on 09-27-2019
9 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
30 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies