Jun 15 2022
- last edited on
Feb 10 2023
We're finishing with adding MFA to all our users, which is great. However, we are encountering an issue on systems with temporary sessions, like classroom labs and remote desktop server where sessions are cleaned regularly.
When a user opens any Office app (We've been testing Word and Excel the most), the auto-login kicks off, as we see the name of the user appear in the top-right corner, but a "!" warnign sign appears next to it, because MFA was not completed. Now, this is kind of expected, because no MFA was completed, but it's also where the problems at its core resides: Why is there no MFA prompt to complete authentication?
Right now, users need to click on their name, click on Connect next to the warning message and then they get the MFA prompt and the login completes. However, even when that's done, if they go to open/save documents, OneDrive/Sharepoint do not quickly appear in open/save menus, it takes a few moments (Sometimes takes a few minutes). They can go around taht by Adding a new location and selecting OneDrive Enterprise, but they need enter their account and MFA again to connect. If there wasn't any delay, it might still not be too bad, but a few minutes is way too long.
We've been experimenting with having a process start at login to complete MFA right away so it's already completed when Word starts, but we're not managing to get any concrete result. Sometimes it works, sometimes it doesn't, like if sometimes only the app is authenticated and sometimes to autnehticated is passed to the entire session, but no way to have a constant result.
The first test was to launch Edge with a homepage that requires MFA. Our second test was to install OneDrive (per-machine edition, as the per-user edition takes a bit of time to add itself to the user's profile) and have it launch at login (with a odopen:// url to have username prefilled) and only have a few clicks to complete MFA and be logged on. We also ran tests with the EnableADAL=1 key for the OneDrive app.
Most tests were done on a VM (Where the test account has never connected, so no traces of the profile), did configs, took a cold snapshot, tested, reveted to snapshot to try other settings. In some cases, we did settings, and tried it and had a positive result. Then we revert back to the snapshot with the same exact settings and tried again, the app MFA login wasn't passed to Word. Both test from the same snapshot, same timeframe (time to login, authenticate in the app then launch Word to test).
We've also tested different cases of delays between each steps to see if we needed to let some infos sync somewhere but it was available. Nothing concluant. In case some revert back to snapshots caused sync issues with AzureAD in some way, we ran some of those tests on physical computers and it also failed.
Especially in the case of the remote desktop server, the usual case use is to connect and acces docuements through Word/Excel, which is harder to do, especially for people that are not used to using technology like these.
We are running out of ideas on how to provide a better login/MFA experience. Any sure way to complete MFA, at login or simply when launching any Office app would be welcome! Any savior around here?
Jul 05 2022 08:43 AM