SOLVED

PIM not getting mfa prompt

%3CLINGO-SUB%20id%3D%22lingo-sub-2699176%22%20slang%3D%22en-US%22%3EPIM%20not%20getting%20mfa%20prompt%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2699176%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20enabled%20PIM%20for%20Azure%20AD%20roles.%20Below%20you%20can%20see%20we%20are%20requiring%20mfa%20when%20activating%20the%20GA%20role.%20I%20am%20noticing%20that%20after%20the%20time%20expires%20on%20the%20role%2C%20when%20i%20go%20back%20in%20to%20activate%20the%20role%20i%20am%20not%20getting%20prompted%20for%20mfa.%20I%20even%20restarted%20my%20device%20opened%20the%20browser%20and%20i%20wasnt%20prompted%20when%20i%20elevated.%26nbsp%3B%20Any%20suggestions%20on%20why%20this%20is%20happening%20is%20appreciated%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Skipster3111_0-1630338739450.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F306703iC5E0FDB2374C1E5F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Skipster3111_0-1630338739450.png%22%20alt%3D%22Skipster3111_0-1630338739450.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2699176%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2733437%22%20slang%3D%22en-US%22%3ERe%3A%20PIM%20not%20getting%20mfa%20prompt%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2733437%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20interesting.%3CBR%20%2F%3E%3CBR%20%2F%3ETLDR%3A%20It%20sounds%20like%20shortening%20sign-in%20frequency%20may%20be%20the%20best%20way%20to%20protect%20all%20Admin%20roles%20if%20there%20is%20a%20concern%20about%20an%20unauthorized%20person%20commandeering%20an%20administrator's%20unlocked%20workstation%20and%20elevating%20permissions%2Froles%20within%20a%20session.%3CBR%20%2F%3E%3CBR%20%2F%3E***%20Original%20ticket%2Frequest%20***%3CBR%20%2F%3EI%20recently%20opened%20a%20ticket%20after%20reading%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-require-mfa%3FWT.mc_id%3DPortal-Microsoft_Azure_Support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-how-to-require-mfa%3FWT.mc_id%3DPortal-Microsoft_Azure_Support%3C%2FA%3E%20and%20testing%20to%20verify%20that%20AAD%20PIM%20ONLY%20requires%20MFA%20if%20the%20account%20has%20not%20already%20MFA'd%20when%20%22On%20activation%2C%20require%20Azure%20MFA%22%20is%20enabled.%3CBR%20%2F%3EHowever%2C%20I%20would%20be%20curious%20to%20know%20whether%20it%20would%20be%20possible%20to%20require%20MFA%20at%20the%20time%20of%20the%20request%20and%20not%20just%20accept%20the%20previous%20MFA%20authentication%2Fsession%20as%20sufficient%20for%20this%20request.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20business%20case%20being%20if%20a%20user%20who%20has%20Admin%20role%20eligibility%20either%20fails%20to%20lock%20his%20workstation%20OR%20has%20his%20browser%20session%20hijacked%2C%20I%20would%20like%20JIT%20MFA%20to%20kick%20in%20to%20prevent%20privilege%20escalation.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hello all

 

I have enabled PIM for Azure AD roles. Below you can see we are requiring mfa when activating the GA role. I am noticing that after the time expires on the role, when i go back in to activate the role i am not getting prompted for mfa. I even restarted my device opened the browser and i wasnt prompted when i elevated.  Any suggestions on why this is happening is appreciated 

 

Skipster3111_0-1630338739450.png

 

3 Replies
best response confirmed by Skipster311-1 (Frequent Contributor)
Solution

@Skipster311-1 Hello, I'm pretty sure that you only get prompted per session and not activation. So you should look for your sign-in frequency settings.

This is interesting.

TLDR: It sounds like shortening sign-in frequency may be the best way to protect all Admin roles if there is a concern about an unauthorized person commandeering an administrator's unlocked workstation and elevating permissions/roles within a session.

*** Original ticket/request ***
I recently opened a ticket after reading https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-re... and testing to verify that AAD PIM ONLY requires MFA if the account has not already MFA'd when "On activation, require Azure MFA" is enabled.
However, I would be curious to know whether it would be possible to require MFA at the time of the request and not just accept the previous MFA authentication/session as sufficient for this request.

The business case being if a user who has Admin role eligibility either fails to lock his workstation OR has his browser session hijacked, I would like JIT MFA to kick in to prevent privilege escalation.

That's why you have the approval process. It's not necessary to enforce MFA but I can't see any reason why it shouldn't be checked in the settings when activating a role. And when approval is configured you just don't get whatever permission/role being activated.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-...