Password Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT

Iron Contributor

My Scenario:-


  1. We are not synchronising password hash with Azure AD.
  2. We have federated authentication setup.


My Queries:-


  1. How does Azure AD senses/identifies when an user changes his/her password?


  1. Issuance of Azure AD tokens AT/RT/PRT are these some how related to om-premises Password Change task ? how please share all details


  1. Also it is seen when an on-premises user is changing password and device is Hybrid during Ctrl+Alt+Del sign in
    1. This is when machine is Authenticated using the certificates it is given by Azure AD for device authentication
    2. However then the user using this machine is at times is not prompted for MFA even when CA is enforcing MFA on every logon ?
    3. Is this known already ? what is/are the reasons ?
2 Replies

Azure AD does not care if a password changed (unless you are using Identity Protection), the authentication is federated to your own IdP (AD FS or whatever other service).

regarding MFA, can you please elaborate? please note that there a lifespans for authentication and refresh tokens, and unless you configure session control in CA, some scenarios might not require MFA each time.

I explain again, either behavior is not consistent or its not understood clearly,

1. When machine is hybrid and it is restarted or user logs Off and is logging on, This is After Changing the Password, In my case passwords are changed thru a portal which is then updated-pushed in AD

a. The “Windows Sign” operation will get a PRT Token which will include the MFA token and then user will not be prompted for MFA ANYMORE! when accessing any service Mail, Teams, PowerBI etc...
b. This is based on this reading
c. And PRT includes MFA Claim here

2. However when I test the same by clicking the “REVOKE ALL SESSSIONS” or Sign Out User from all application and then when the user signs in again he/she is being prompted for MFA, Why ?
a. It is true for both Outlook Desktop Client for Teams Desktop Client
b. or any BROWSER session too correct ?
c. But OneDrive for Business Client never prompts for MFA ?
d. Browser based sessions use WAM AND Desktop Clients use CloudAP Correct ?