Feb 11 2020 11:59 PM
I have Azure AD joined devices that are managed with Intune.
We have setup conditional access with conditions;
- App=SharePoint Online
- Control=Require MFA
What we observe is that users on Azure AD joined devices are not getting prompted for MFA when they go to SharePoint.
Is there a way to enforce MFA everytime a user goes to SharePoint on Azure AD joined devices?
Feb 12 2020 05:02 AM
@fatshark_2kyour AAD joined device classes as the secondary factor. Do you have Windows Hello for Business enabled as well?
Feb 12 2020 05:10 AM
Feb 12 2020 07:41 AM
Solution@fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials. This fulfils the requirement for MFA, which won't be prompted separately.
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
This is also explained here:
"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."
There is some further discussion on this here. I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.
Feb 12 2020 07:41 AM
Solution@fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials. This fulfils the requirement for MFA, which won't be prompted separately.
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
This is also explained here:
"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."
There is some further discussion on this here. I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.