Oct 09 2019
- last edited on
Jul 24 2020
Facing a rather bothersome issue at the moment. Our users are randomly being prompted for MFA authentication when they are not actively logging in somewhere.
At first they just figured their account was being attacked but when looking at the sign-in logs, I see all the attempts match an application 'Universal Store Native Client' which refers to the Windows Store for Business.
So in essence it's not an attack so that's good but the employee never sees anything on their PC about this login attempt. They just get the app notification or the call from MS and luckily they decline.
There does not seem to be a negative impact on the PC side but I'd like to find a way to avoid this prompt or make it so the employee knows where it's coming from.
I looked around in the cloud apps section of conditional access policies but cannot find anything in the app list related to the Store app.
Anyone have ideas on how to find a workable solution for this?
Oct 09 2019 10:59 PM
Can confirm that we have the same problem. Did a test yesterday where users got to test SMS and or APP authentication but it didn't matter.
Does not affect use but is an annoyance for users.
Oct 10 2019 12:13 AM
Yesterday I dug a but deeper in the sign-in logs and apparently, only our hybrid Azure AD joined devices are impacted by this.
The devices which are only Azure AD registered do not get prompted and have 'Success' for the Universal Store login with comment 'MFA requirement skipped due to registered device'
You'd think that the hybrid joined devices would also do this since that's a step up from being just registered.
I'll see if I can get MS support on this.
Oct 13 2019 12:17 AM - edited Oct 13 2019 12:19 AM
I'm dealing with the same issue and I've been trying to explain Microsoft Azure support about this situation and they aren't that much of a help.
All they know is to say that the user need to change his password although I'm showing them that there isn't any breach and the attempt is being made from inside the organization and the cause for the MFA alert is due to the "Universal Store Native Client" or "Office UWP PWA" apps.
At one time I asked the technician what is even the Office UWP PWA app and he said to me "How should I know? you tell me what it is"
Oct 22 2019 12:14 AM
Well I got an MS support tech on the phone and I got a little bit more information.
As you have not receive the Primary authentication prompt because the device is Hybrid Azure AD joined. The Application uses WAM we see the application , Universal Store Native Client has a token to access Windows store for business. User is MFA enabled.
As you have confirmed that this usually happens after a boot up process of the host machine, the MFA prompt is because of the below :
If there is no MFA claim on the machine then Primary refresh token will use to authenticate user and MFA will be challenge to get MFA claim
The application is running at the background(you can see under the Task Manager) and when a reboot happens, the application automatically tries to authenticate without the user interaction. The user is not presented by the Primary authentication page as the device is Hybrid Azure AD joined and it picks up the Windows credentials.
- As the MFA is enabled for the user account, the user is presented with a MFA challenge.
- To avoid the MFA prompts, try to disable the application from the Task Manager and reboot the machine.
To confirm you again this is an expected behavior.
I can sort of follow where they are going with their assessment were it not that we use CA to define when MFA should kick in and we have a few trusted IPs from which no MFA is required and it even happens when connected to those networks.
They say 'try to disable the app from Task Manager and reboot' but anyone know the process for the Microsoft Store? :)
Nov 20 2019 10:53 AM
@Steve Hernou I'm a program manager on the Azure AD team--I reached out in a private message for more information so our engineering team can take a deeper look at your issue.
Nov 20 2019 12:09 PM
Dec 02 2019 11:56 PM
@Steve Hernou can you share anything from this. what was the result from your Microsoft contact?
Dec 03 2019 12:51 AM
@ppeedu there are two sides to the story (aren't there always :) ).
On the one hand the MFA prompts are 'normal behaviour' based on the CA policies we have set up (they apply to all cloud apps and apparently the universal store native client is considered as one).
This was determined through analysis of the sign-in logs. There's also the refresh token after successful strong auth that plays a part in why you sometimes get the prompt and sometimes you don't (because your refresh token is still valid).
The other thing is, even though it's considered as working as designed, my gripe with this is there is no way to exclude the 'universal store native client' from the ca policies, nor can I find the 'Windows Store for Business' to which the sign-in logs refer and worse, the end user has no idea why they are getting the MFA prompt since they are not actively signing in.
My question on how to tackle this within the scope of ca policies has been forwarded to someone of the product group for the ca service so hoping to get some answers from there to be able to provide a better user experience for our employees.
Dec 05 2019 10:28 PM
@Steve Hernou I have the same problem. I provided log sample to the MS Australia security lead today hoping with an insider we can get answers. In my case we block the UK in Conditional Access which is where all this traffic is originating from so we are safe but it's a frigging nuisance with all the MCAS alerts coming through.
Dec 09 2019 08:01 AM
So far no news to report here. Haven't received feedback yet from conditional access product manager but I relaunched this morning.
Please share should you receive something useful from your side of the globe :)
Dec 11 2019 11:31 AM
Folks, I'm pulling in some of my colleagues from the conditional access team and we're looking at the situation. We'll share any results we find. Steve's summary above is accurate--in the examples we've looked at, CA is triggering MFA as the policies define.
Dec 12 2019 06:55 AM
I want to chime in on this thread, as we are seeing the same behavior. (Unfortunately, our MFA configuration is not CA-based, as we have not altered it from turning it up almost 2 years ago and "forcing" MFA for everything.)
The good part, as others mentioned, is that users are reporting an unknown authentication attempt as fraud. The bad news is the user has no idea what is triggering it, and the logs point to the Universal Store Native Client.
I look forward to possible solutions.
Dec 13 2019 05:10 AM
Small update via one of the conditional access product managers.
- There is no way to individually target the 'Universal Store' app in the ca policies. It doesn't make sense for all apps to be individually targetable (due to underlying dependencies).
- A possible solution/workaround (depends on your point of view) and only if you have HAAJ devices would be to update your CA policy to 'require MFA or hybrid join' and combine this with WHFB.
Of course this requires (significant) changes in your environment depending on your current situation and implementing WHFB is a project in its own right.
I have again asked if there's anything we can do in the as-is situation to alleviate employee frustration without lowering our current security posture.....update when I get info :)
Dec 16 2019 07:20 AM
This might be the last update for a while. Received confirmation from CA product manager that there's really nothing we can do to suppress these prompts (unless you want to change your existing configuration - see previous post).
They are getting in touch with the people from the Universal Store app to see what they can do in the future but we shouldn't expect anything short term.
@Michael McLaughlin , can you 'tag' this article and update when there's news from Microsoft side please?
Thanks and happy holidays everyone
Dec 23 2019 12:09 PM
I hope for a resolution as well. I had already turned off MSCommerceProductPolicies and have now turned off store in 'user owned apps and services.' To me this alone should break any association with Native Store and associated credentials as I have disallowed it to be so. Not to mention it is not a requirement to have an account to access Native Store nor should it. Unless you admin via Intune you are creating a local account as an admin to deploy user apps and features (probably). Hopefully we will see a fix to this as end user confusion runs high in my line of business.