Home

Mobile Application Management and MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-359719%22%20slang%3D%22en-US%22%3EMobile%20Application%20Management%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359719%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20setup%20a%20CA%20policy%20for%20a%20test%20user.%20The%20user%20must%20use%20the%20required%20app%20and%20MFA%20to%20access%20Exchange%20Online.%20We%20also%20want%20a%20PIN%20number%20for%20the%20app%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20this%20setup%20work%3F%20If%20the%20user%20opens%20Outlook%2C%20should%20Outlook%20prompt%20for%20MFA%20and%20then%20the%20PIN%20number%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-359719%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359741%22%20slang%3D%22en-US%22%3ERe%3A%20Mobile%20Application%20Management%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359741%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174439%22%20target%3D%22_blank%22%3E%40Oliver%20Kieselbach%3C%2FA%3E%26nbsp%3B.%20I%20think%20the%20PIN%20number%20will%20probably%20satisfy%20everything%20really.%20Much%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359732%22%20slang%3D%22en-US%22%3ERe%3A%20Mobile%20Application%20Management%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359732%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20David%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyou%20can%20enforce%20MFA%20on%20the%20CA%20side%20or%20on%20the%20user-level.%20MFA%20in%20general%20does%20have%20a%20caching%20(refresh%20token).%20As%20long%20as%20your%20token%20will%20be%20flagged%20as%20strong%20authentication%20you%20don't%20need%20to%20do%20MFA%20again%2C%20so%20you%20can%20use%20the%20token%20to%20get%20access%20to%20something.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20do%20on%20top%20now%20Intune%20App%20Protection%20Policies%20(aka%20MAM)%20then%20you%20can%20enforce%20%22Access%20requirements%22%20for%20Outlook%20to%20prompt%20the%20user%20for%20a%20PIN%20on%20start.%20This%20would%20require%20the%20user%20to%20enter%20the%20PIN%20every%20time%20the%20user%20starts%20regardless%20of%20your%20authentication%20token.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20totally%20a%20valid%20setup%2C%20have%20seen%20several%20environments%20running%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi all,

 

I've setup a CA policy for a test user. The user must use the required app and MFA to access Exchange Online. We also want a PIN number for the app itself.

 

Should this setup work? If the user opens Outlook, should Outlook prompt for MFA and then the PIN number?

2 Replies

Hi David,

 

you can enforce MFA on the CA side or on the user-level. MFA in general does have a caching (refresh token). As long as your token will be flagged as strong authentication you don't need to do MFA again, so you can use the token to get access to something. 

If you do on top now Intune App Protection Policies (aka MAM) then you can enforce "Access requirements" for Outlook to prompt the user for a PIN on start. This would require the user to enter the PIN every time the user starts regardless of your authentication token. 

This is totally a valid setup, have seen several environments running this.

 

best,

Oliver

Thanks @Oliver Kieselbach . I think the PIN number will probably satisfy everything really. Much appreciated.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies