Double MFA when logging into Win10 with SAML-federated AAD identity

%3CLINGO-SUB%20id%3D%22lingo-sub-1551994%22%20slang%3D%22en-US%22%3EDouble%20MFA%20when%20logging%20into%20Win10%20with%20SAML-federated%20AAD%20identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551994%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20environment%20is%20predominantly%20Mac%20%2B%20GSuite.%20We%20have%20some%20users%20who%20need%20Office%20Apps%20but%20GSuite%20is%20our%20collaboration%20platform.%20We%20have%20a%20few%20Windows%20users.%20I%20followed%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FIAmFrench%2FGSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20guide%3C%2FA%3E%20with%20a%20couple%20modifications%20to%20federate%20O365%2FAAD%20to%20GSuite%20with%20SAML.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20that%20works%20great%20for%20Mac%20users%2C%20Windows%20users%20have%20a%20few%20issues.%20I%20am%20managing%20Win10%20laptops%20with%20Intune%20Device%20licenses%20and%20using%20that%20to%20enable%20Web%20Sign-in%20as%20well%20as%20mange%20device%20security%20posture%20and%20deploy%20a%20few%20applications.%20This%20allows%20users%20to%20log%20into%20their%20laptop%20with%20their%20AAD%20(Google-via-SAML)%20credentials.%20Google%20is%20enforcing%202-step%20auth%20so%20the%20user%20logs%20in%20with%20U%2FP%20and%20then%202FA.%20For%20some%20reason%2C%20even%20though%20MFA%20is%20set%20to%20Disabled%20for%20the%20user%2C%20they%20are%20prompted%20to%20set%20up%20(or%20use%20if%20they%20have%20already%20set%20up)%20Microsoft%20Authenticator%20to%20provide%20a%202nd%20factor%20to%20AAD.%20If%20they%20are%20disabled%20for%20MFA%20I%20have%20to%20enable%20their%20user%20so%20they%20can%20complete%20this%20step.%20I've%20looked%20at%20the%20Okta%20WS-Fed%20guide%20on%20how%20to%20signal%20AAD%20that%20MFA%20was%20used%20but%20have%20no%20idea%20how%20that%20might%20be%20accomplished%20in%20my%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20through%20the%20hoops%20the%20user%20sets%20up%20Windows%20Hello%20and%20it%20isn't%20really%20an%20issue%20with%20any%20frequency%20but%20it%20is%20really%20ugly%20and%20I%20want%20to%20fix%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20set%20all%20federated%20users%20to%20never%20be%20MFA-prompted%20while%20leaving%20MFA%20enabled%20for%20our%20non-federated%20admin%20user%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1551994%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553674%22%20slang%3D%22en-US%22%3ERe%3A%20Double%20MFA%20when%20logging%20into%20Win10%20with%20SAML-federated%20AAD%20identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553674%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20probably%20have%20Security%20defaults%20enabled%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20generally%20speaking%2C%20Azure%20AD%20will%20honor%20MFA%20claims%20inserted%20by%20other%20IdPs%2C%20but%20I'm%20not%20sure%20if%20this%20is%20the%20case%20for%20G-Suite%20federation.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553780%22%20slang%3D%22en-US%22%3ERe%3A%20Double%20MFA%20when%20logging%20into%20Win10%20with%20SAML-federated%20AAD%20identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553780%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%20I%20did%20enable%20Security%20Defaults%20as%20indicated%20in%20that%20link.%20I%20also%20went%20back%20in%20an%20toggled%20it%20back%20to%20No%20hoping%20that%20would%20take%20care%20of%20it%20but%20it%20did%20not%20change%20the%20issue.%20Once%20that%20setting%20is%20enabled%2C%20does%20toggling%20it%20off%20in%20the%20UI%20only%20revert%20some%20settings%3F%20Is%20there%20a%20list%20of%20what%20the%20security%20defaults%20are%20and%20their%20related%20Powershell%20commands%20to%20verify%20the%20UI%20un-sets%20them%20-or%20manually%20unset%20them%20as%20needed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553784%22%20slang%3D%22en-US%22%3ERe%3A%20Double%20MFA%20when%20logging%20into%20Win10%20with%20SAML-federated%20AAD%20identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553784%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20article%20lists%20what%20exactly%20Security%20defaults%20%22translates%22%20to%2C%20first%20paragraph%20on%20top.%20You%20wont%20see%20them%20in%20other%20parts%20of%20the%20UI.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1557071%22%20slang%3D%22en-US%22%3ERe%3A%20Double%20MFA%20when%20logging%20into%20Win10%20with%20SAML-federated%20AAD%20identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1557071%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI%20see%20the%20list.%20I%20am%20having%20some%20difficulty%20finding%20a%20good%20way%20to%20determine%20the%20current%20state%20of%20those%20settings.%3C%2FP%3E%3CP%3EThe%20group%20setting%20is%20off%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OrionJason_0-1596137418266.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F209128i09171BAA34892670%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22OrionJason_0-1596137418266.png%22%20alt%3D%22OrionJason_0-1596137418266.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESpecifically%20I%20want%20to%20make%20sure%20that%20these%202%20are%20not%20enabled%20for%20the%20federated%20domain%3A%3C%2FP%3E%3CP%3E%3CSPAN%3ERequiring%20all%20users%20to%20register%20for%20Azure%20Multi-Factor%20Authentication.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ERequiring%20users%20to%20perform%20multi-factor%20authentication%20when%20necessary.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E--Jason%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Our environment is predominantly Mac + GSuite. We have some users who need Office Apps but GSuite is our collaboration platform. We have a few Windows users. I followed this guide with a couple modifications to federate O365/AAD to GSuite with SAML.

 

While that works great for Mac users, Windows users have a few issues. I am managing Win10 laptops with Intune Device licenses and using that to enable Web Sign-in as well as mange device security posture and deploy a few applications. This allows users to log into their laptop with their AAD (Google-via-SAML) credentials. Google is enforcing 2-step auth so the user logs in with U/P and then 2FA. For some reason, even though MFA is set to Disabled for the user, they are prompted to set up (or use if they have already set up) Microsoft Authenticator to provide a 2nd factor to AAD. If they are disabled for MFA I have to enable their user so they can complete this step. I've looked at the Okta WS-Fed guide on how to signal AAD that MFA was used but have no idea how that might be accomplished in my scenario.

 

Once through the hoops the user sets up Windows Hello and it isn't really an issue with any frequency but it is really ugly and I want to fix it.

 

Is there a way to set all federated users to never be MFA-prompted while leaving MFA enabled for our non-federated admin user?

 

Thanks

4 Replies

You probably have Security defaults enabled: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

 

More generally speaking, Azure AD will honor MFA claims inserted by other IdPs, but I'm not sure if this is the case for G-Suite federation. 

@Vasil Michev  I did enable Security Defaults as indicated in that link. I also went back in an toggled it back to No hoping that would take care of it but it did not change the issue. Once that setting is enabled, does toggling it off in the UI only revert some settings? Is there a list of what the security defaults are and their related Powershell commands to verify the UI un-sets them -or manually unset them as needed?

The article lists what exactly Security defaults "translates" to, first paragraph on top. You wont see them in other parts of the UI.

@Vasil Michev I see the list. I am having some difficulty finding a good way to determine the current state of those settings.

The group setting is off:

OrionJason_0-1596137418266.png

Specifically I want to make sure that these 2 are not enabled for the federated domain:

Requiring all users to register for Azure Multi-Factor Authentication.

Requiring users to perform multi-factor authentication when necessary.

 

Thanks

--Jason