Feb 02 2020
09:21 PM
- last edited on
Jan 14 2022
04:34 PM
by
TechCommunityAP
Feb 02 2020
09:21 PM
- last edited on
Jan 14 2022
04:34 PM
by
TechCommunityAP
Hi All,
We are looking to make Palo alto GCPS client work through SAML, integration is successful but when it comes to Authentication with MFA. MFA is bypassed with remember me. Since this is an App which gives VPN access and to comply with various Standards such as PCI. User based MFA behavior is expected in these Cases for those apps.
Scenarios we have tried are below, but MFA is bypassed in all cases.
1, Conditional Access with session control set to 1 hour.
2, Persistent browser session option with all cloud apps enabled.
3, Create new custom auth policy (policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00","MaxAgeSessionSingleFactor":"00:30:00","MaxAgeSessionMultiFactor":"00:30:00"}}') -DisplayName "PaloAlto-GCPS" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
with the Custom auth policy it atleast prompts for password but still bypasses MFA.
Is there a way to make MFA prompt for a particular app, especially when all are becoming SAAS including firewall in this case we are kind of stuck not to use SAML and alternate path is radius with third party MFA to achieve user based MFA.
I am sure i am not the only client with this problem, lot of clients would have reported i have an open case with support for more than 2 months to find a path.
Kindly share your thoughts and feedback, sorry for lengthy description and this is my first post bare with me.
Feb 03 2020 07:09 AM
@Rajkumar_Manibharathy are you doing this from a Windows 10 machine that is hybrid joined? Does this use a browser such as Edge for presenting the login? Windows Hello becomes the secondary factor from memory when using MFA. If you use an incognito browser you should get prompted for MFA
Feb 04 2020 02:15 PM
@Mark Lewis Yes i am testing in Windows 10 and Mac Hybrid Azure and Azure AD Joined.
Based on default browser we select, it present Chrome, IE or Edge. Thanks Let me try incognito.
For chrome i see there are lot of extension to make some websites default incognito, but in IE and Edge i do not see it like that any idea on that please ?
Feb 04 2020 11:18 PM
@Rajkumar_Manibharathydo you get prompted for MFA on the Mac OS device? Not sure how to force incognito/in-private off the top of my head for certain sites on Edge/IE
Feb 06 2020 08:42 AM
@Mark Lewis yes strangely it works in MAC. I tried to even push IE in private mode always through properties. Still it bypasses MFA.
Feb 06 2020 08:46 AM
And does it work (prompt for MFA) on a non domain or hybrid joined machine? Personal laptop for example
Do you use Windows Hello for Business?
I suspect that the machine itself is being used as the second factor, rather than prompting on the app
Feb 06 2020 09:33 AM
@Mark Lewis we do not use Helo for business, device with corporate image both mac and windows it bypasses MFA when remember me is checked. Only not domain joined device it prompts for MFA.
Feb 06 2020 02:04 PM
SolutionUpdates !!!, Finally it worked with one more change to Azure AD policy.
But this option is in preview mode i believe, so i am worried about getting in to prod with this.
{{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00","MaxAgeSessionSingleFactor":"00:30:00","MaxAgeSessionMultiFactor":"00:30:00","MaxAgeMultiFactor":"00:30:00"}}}
Feb 06 2020 02:04 PM
SolutionUpdates !!!, Finally it worked with one more change to Azure AD policy.
But this option is in preview mode i believe, so i am worried about getting in to prod with this.
{{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00","MaxAgeSessionSingleFactor":"00:30:00","MaxAgeSessionMultiFactor":"00:30:00","MaxAgeMultiFactor":"00:30:00"}}}