SOLVED

Conditional Access not working as expected

%3CLINGO-SUB%20id%3D%22lingo-sub-2992269%22%20slang%3D%22en-US%22%3EConditional%20Access%20not%20working%20as%20expected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2992269%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei'm%20trying%20to%20configure%20Conditional%20Access%20for%20our%20users.%20We%20have%20Windows%2010%20managed%20Notebooks%2C%20which%20are%20AAD%20Joined%20and%20have%20Windows%20Hello%20for%20Business%20configured%2C%20which%20everything%20is%20just%20working%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20configure%20a%20Conditional%20Access%20Policy%20to%20force%20the%20users%20every%2023%20hours%20to%20enter%20their%20password%20and%20MFA%20again.%20For%20that%20i%20have%20configured%20a%20policy%2C%20where%20i%20Grant%20the%20permission%20only%20with%20MFA%20and%20a%20compliant%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20the%20users%20are%20not%20promped%20to%20enter%20the%20MFA%20again.%20I%20can%20see%20that%20the%20correct%20policy%20has%20been%20hit%20(see%20the%20second%20printscreen).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anything%20i%20could%20have%20misunderstand%20or%20should%20this%20work%20like%20we%20would%20need%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20any%20hints%20on%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3CBR%20%2F%3EMarc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2992269%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2995833%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20not%20working%20as%20expected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2995833%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588790%22%20target%3D%22_blank%22%3E%40ChristianJBergstrom%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Christian%3C%2FP%3E%3CP%3Emany%20thanks%20for%20your%20feedback.%20I%20sent%20you%20all%20the%20settings%20i%20have%20in%20the%20policy.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EMarc%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi guys

 

i'm trying to configure Conditional Access for our users. We have Windows 10 managed Notebooks, which are AAD Joined and have Windows Hello for Business configured, which everything is just working fine.

 

We would like to configure a Conditional Access Policy to force the users every 23 hours to enter their password and MFA again. For that i have configured a policy, where i Grant the permission only with MFA and a compliant device.

 

But the users are not promped to enter the MFA again. I can see that the correct policy has been hit (see the second printscreen).

 

Is there anything i could have misunderstand or should this work like we would need?

 

Many thanks for any hints on this

 

Best regards,
Marc

8 Replies
Hi, I can't see anything in your screenshots that shows the "Sign-in Frequency" config set to 23 hours?

@ChristianJBergstrom 

 

Hi Christian

many thanks for your feedback. I sent you all the settings i have in the policy. 

 

Best regards,

Marc

this is what i would like to have, except that we would like to have for Windows 10 MFA in addition.

Hello again, difficult to say when not working in your environment. Have you tried the What If tool?

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool

@ChristianJBergstrom 

 

Hi Christian

i'm sorry for the late reply. We saw in the SignIn-Logs, that the "Windows Sign In" with Windows Hello for Business, which we use, is registered as "Single Factor Authentication", but shows "MFA requirement satisfied by claim in the token".

 

So i assume that probably Windows Hello for Business is causing this, but i'm not sure. Also because of this in the Conditional Access overview it shows those "Windows Sign In" as "Out of scope", which is a little odd.

 

Also i discovered, that i don't have enabled MFA for the individual users in AAD, but the Users needed to setup MFA because the Conditional Access policy initially. Is it necessary to enable or even enforce MFA for all users in AAD?

 

Best regards

Marc

best response confirmed by marckuhn (Contributor)
Solution

Yes, all users should be forced to use MFA. Here's an article I found just now which explains it all as you're on WHFB, much better than if I would give it a go! https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompte...

Going forward, try out the What if tool and the Report-only option when you experience odd stuff. Perhaps you'd benefit using the new CA templates in preview too. Have a look https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces... (the article was updated recently but you'll see those that are common to use if you scroll down)

 

As sign-in frequency also includes MFA nowadays you should be able to get this working.

Good luck!

@ChristianJBergstrom 

Thanks for that and your help on this. The only thing which is a little special that it shows that the Windows Sign In with Hello for Business is Single Factor and not Multi Factor, but has the MFA accepted. Would be better for the understanding, or what do you think?

Hello again, no worries. I think it's fun. I understand it's confusing but from my understanding it's simply because Windows Hello for Business sign-in is a form of MFA, which utilizes the PRT, gets the claim, satisfies the strong authentication and Azure AD honors that claim. It's detailed in the above link under the "subtle points".