Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

PIM not getting mfa prompt

Iron Contributor

Hello all

 

I have enabled PIM for Azure AD roles. Below you can see we are requiring mfa when activating the GA role. I am noticing that after the time expires on the role, when i go back in to activate the role i am not getting prompted for mfa. I even restarted my device opened the browser and i wasnt prompted when i elevated.  Any suggestions on why this is happening is appreciated 

 

Skipster3111_0-1630338739450.png

 

5 Replies
best response confirmed by Skipster311-1 (Iron Contributor)
Solution

@Skipster311-1 Hello, I'm pretty sure that you only get prompted per session and not activation. So you should look for your sign-in frequency settings.

This is interesting.

TLDR: It sounds like shortening sign-in frequency may be the best way to protect all Admin roles if there is a concern about an unauthorized person commandeering an administrator's unlocked workstation and elevating permissions/roles within a session.

*** Original ticket/request ***
I recently opened a ticket after reading https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-re... and testing to verify that AAD PIM ONLY requires MFA if the account has not already MFA'd when "On activation, require Azure MFA" is enabled.
However, I would be curious to know whether it would be possible to require MFA at the time of the request and not just accept the previous MFA authentication/session as sufficient for this request.

The business case being if a user who has Admin role eligibility either fails to lock his workstation OR has his browser session hijacked, I would like JIT MFA to kick in to prevent privilege escalation.

That's why you have the approval process. It's not necessary to enforce MFA but I can't see any reason why it shouldn't be checked in the settings when activating a role. And when approval is configured you just don't get whatever permission/role being activated.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-...

@OverEngineeredNetwork 

create a CA policy with authentication context and MFA strength --> push MFA and select session frequency every time and apply to users and test.

 

@ChristianJBergstrom 

@mamirn - do you have any documentation or steps on how to achieve this?  everything I have found has been vague and not helpful.

1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
Solution

@Skipster311-1 Hello, I'm pretty sure that you only get prompted per session and not activation. So you should look for your sign-in frequency settings.

View solution in original post