cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conditional Access - Persistent browser session and LastPass SSO

skywalker98
Copper Contributor

‎Mar 25 2022 02:11 AM

‎Mar 25 2022 02:11 AM

Conditional Access - Persistent browser session and LastPass SSO

 

Hey everyone


Our customer has Azure AD connected devices that are set up with Intune.

We also have SSO set up for LastPass, which works without any issues.


Now the customer wants to enable MFA for portal.office.com and the LastPass browser add-in.

I set up a conditional access rule where I set the browser session settings to "never persistent". The MFA login works, but when users close the browser and reopen it, they remain logged in. This happens with portal.office.com and the LastPass browser add-in.


Could it be that they stay logged in because the devices are connected to Azure AD?

 

Thanks

Joël

 

Labels:
2,256 Views
0 Likes
4 Replies
Reply
4 Replies
joeyvldn

‎Mar 27 2022 06:52 AM

‎Mar 27 2022 06:52 AM

Re: Conditional Access - Persistent browser session and LastPass SSO

Azure AD joined devices and cloud apps like portal.office.com would do SSO if everything is configured correct. So yes, it can be because of your current config. Is the Windows logon done by WHfB? I guess not?

How are all your CA policies configured? What is the Azure AD sign-in log telling you?
0 Likes
Reply
skywalker98

‎Mar 28 2022 01:39 AM

‎Mar 28 2022 01:39 AM

Re: Conditional Access - Persistent browser session and LastPass SSO

@joeyvldn Thanks for your reply!

 

Most users log in to Windows with their O365 user and password. Only 1 user has WHfB enabled.

 

Here is how my CA policy for browser sign-ins is configured:

- Cloud apps or actions: All cloud apps

- Conditions: Client apps -> Browser

- Grant: Require multi-factor authentication

- Session: Persistent browser session -> Never persistent

 

The Azure AD sign-in log tells me that the conditional access policy is applied.

The auth method says "Previously satisfied" and the result is "satisfied by claim in the token".

 

skywalker98_0-1648456632930.png

skywalker98_1-1648456658792.png

 

 

 
 
0 Likes
Reply
joeyvldn

‎Mar 28 2022 06:11 AM

‎Mar 28 2022 06:11 AM

Re: Conditional Access - Persistent browser session and LastPass SSO

Hi @skywalker98,

Is this the user who is using WHfB? Check previous sign-in logs to determine which sign-in was prompted for MFA. If not. Is the Per-user MFA configured as enforced for this user?

I would recommend to focus on implementing WHfB. Windows sign-ins with WHfB are automatically protected by MFA and thus portal.office.com would be flagged as "previously satisfied".
0 Likes
Reply
noors710

‎Mar 28 2022 08:57 AM

‎Mar 28 2022 08:57 AM

Re: Conditional Access - Persistent browser session and LastPass SSO

Is this the user who is using WHfB? Windows sign-ins with WHfB are automatically protected by MFA and thus portal.office.com

0 Likes
Reply