cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Require MFA on Azure AD joined devices

fatshark_2k
Brass Contributor

‎Feb 11 2020 11:59 PM

‎Feb 11 2020 11:59 PM

Require MFA on Azure AD joined devices

I have Azure AD joined devices that are managed with Intune.

We have setup conditional access with conditions;

- App=SharePoint Online

- Control=Require MFA

What we observe is that users on Azure AD joined devices are not getting prompted for MFA when they go to SharePoint.

Is there a way to enforce MFA everytime a user goes to SharePoint on Azure AD joined devices?

23K Views
0 Likes
3 Replies
Reply
3 Replies
Mark Lewis

‎Feb 12 2020 05:02 AM

‎Feb 12 2020 05:02 AM

Re: Require MFA on Azure AD joined devices

@fatshark_2kyour AAD joined device classes as the secondary factor. Do you have Windows Hello for Business enabled as well?

0 Likes
Reply
Mark Lewis

‎Feb 12 2020 05:10 AM

‎Feb 12 2020 05:10 AM

RE: Require MFA on Azure AD joined devices

https://jairocadena.com/2016/03/09/azure-ad-and-microsoft-passport-for-work-in-windows-10/ is a good explanation on this. Why do you need to MFA for access to sharepoint? Is it compliance reasons? The reason being you want password and MFA prompts to be minimal for users to prevent acceptance fatigue.
0 Likes
Reply
best response confirmed by fatshark_2k (Brass Contributor)
Cian Allner

‎Feb 12 2020 07:41 AM

‎Feb 12 2020 07:41 AM

Solution

Re: Require MFA on Azure AD joined devices

@fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials.  This fulfils the requirement for MFA, which won't be prompted separately.

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

 

This is also explained here:

 

"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls#mi...

 

There is some further discussion on this here.  I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by fatshark_2k (Brass Contributor)
Cian Allner

‎Feb 12 2020 07:41 AM

‎Feb 12 2020 07:41 AM

Solution

Re: Require MFA on Azure AD joined devices

@fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials.  This fulfils the requirement for MFA, which won't be prompted separately.

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

 

This is also explained here:

 

"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls#mi...

 

There is some further discussion on this here.  I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.

View solution in original post

1 Like
Reply