SOLVED

Azure app to always ask for MFA

Iron Contributor

Hi all,

 

We have an Azure APP that we want to always ask for MFA code. This is a sensitive app that requires connecting from outside our LAN.

Right now, our service settings is set to allow users to remember MFA on devices they trust for 30 days.

I need to bypass this and force the users to always enter credentials every time they login to the app.

 

Is there a way to do that?

 

Thanks, Rahamim.

8 Replies

Afaik you cannot. @Daniel Stefaniak was just discussing a similar scenario on another board, perhaps he can tune in here as well.

@VasilMichev 
in genera prompts are bad for security:

https://duo.com/blog/usability-is-security-the-future

https://duo.com/blog/part-1-usability-is-security. We will not let you compromise your security posture by breaking fundamentals of SSO

This isn't about breaking SSO, I need a way to give the user a prompt for credentials because the azure app is sensitive and my users don't always come from a trusted computer.
Think about it like always using Skype for business plug-in when adding to the URL "?sl=1".
Thanks, Rahamim.
best response confirmed by RahamimL (Iron Contributor)
Solution

@RahamimL you can set MFA policies per app if you have Azure AD P1/P2 using conditional access. However, AFAIK it can not be used to overrule the "remember MFA for 30 days".

Thanks, @Nestori Syynimaa 

@RahamimL .. were you able to get past this? I agree, 30 days is a bit much for sensitive apps.
We use a different method - We force users to use only azure joined or hybrid joined computers with conditional access. this allows us to control how people will use high risk apps.

@RahamimL .. Thanks!

1 best response

Accepted Solutions
best response confirmed by RahamimL (Iron Contributor)
Solution

@RahamimL you can set MFA policies per app if you have Azure AD P1/P2 using conditional access. However, AFAIK it can not be used to overrule the "remember MFA for 30 days".

View solution in original post