SOLVED

MFA on Azure AD joined devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2448183%22%20slang%3D%22en-US%22%3EMFA%20on%20Azure%20AD%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2448183%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Intune%20gang%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20having%20an%20issue%20with%20MFA%20prompts%20on%20Azure%20AD%20joined%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3EAllow%20me%20to%20give%20a%20quick%20explanation%20of%20the%20situation%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20goal%20is%20to%20let%20multiple%20Azure%20users%20login%20to%20this%20single%20Azure%20AD%20joined%20device%2C%20which%20seems%20easy%20enough.%20We've%20implemented%20some%20Intune%20policies%20to%20enforce%20OneDrive%20%26amp%3B%20Printix%20silent%20sign-in.%20This%20works%20perfectly%20fine%20with%20accounts%20that%20don't%20have%20MFA%20enabled%20in%20the%20M365%20admin%20panel.%20When%20signing%20in%20with%20a%20user%20that%20has%20MFA%20enforced%20on%20this%20device%2C%20they%20get%20a%20message%20that%20says%20something%20alon%20the%20lines%20of%20%22Login%20again%20to%20resolve%20issues%20with%20your%20work%20or%20school%20account%22%20and%20then%20they%20have%20to%20complete%20an%20MFA%20challenge%2C%20so%20the%20silent%20login%20policies%20don't%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20expected%20behaviour%20or%20can%20this%20MFA%20request%20be%20turned%20off%20using%20Conditional%20Access%20policies%3F%20I've%20already%20made%20a%20policy%20with%20the%20help%20of%20MS%20support%2C%20but%20they%20haven't%20been%20able%20to%20solve%20this%20issue%20yet.%3C%2FP%3E%3CP%3EI've%20added%20screenshots%20of%20this%20CA%20policy%20in%20the%20attachments.%20Some%20other%20things%20to%20note%20and%20that%20I've%20tried%20already%3A%3C%2FP%3E%3CUL%3E%3CLI%3EWe%20use%20a%20DEM%20account%20to%20enroll%20devices%3C%2FLI%3E%3CLI%3EAll%20regular%20users%20have%20MFA%20enforced%20in%20the%20M365%20Admin%20panel%20(under%20'Users%20%26gt%3B%20MFA').%3C%2FLI%3E%3CLI%3ETurning%20MFA%20off%20for%20a%20test%20users%20solves%20the%20problem%2C%20but%20this%20means%20I%20have%20to%20make%20some%20CA%20policies%20to%20require%20MFA%20on%20non-compliant%20devices%2C%20right%3F%20Is%20this%20approach%20less%20safe%20than%20enabling%20MFA%20for%20every%20user%3F%3C%2FLI%3E%3CLI%3EMicrosoft%20Support%20was%20testing%20some%20CA%20policies%2C%20which%20didn't%20seem%20to%20work%20at%20all%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20greatly%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2448183%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2449070%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20on%20Azure%20AD%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2449070%22%20slang%3D%22en-US%22%3EHi%2C%20If%20I%20am%20reading%20between%20the%20lines...%20You%20are%20enforcing%20MFA%20in%20the%20admin%2Cmicrosoft.com%20portal%3CBR%20%2F%3EAnd%20you%20have%20a%20conditional%20access%20rule%20to%20make%20sure%20compliant%20devices%20dont%20get%20prompted%20for%20MFA%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20make%20sure%20you%20configure%20the%20mfa%20setting%20in%20the%20admin%20center%20to%20disabled%20and%20let%20conditional%20access%20do%20his%20job.%20(of%20course%20prevent%20legacy%20auth)%20You%20want%20to%20have%20some%20granularity%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Intune gang,

 

I'm having an issue with MFA prompts on Azure AD joined devices. 

Allow me to give a quick explanation of the situation:

 

Our goal is to let multiple Azure users login to this single Azure AD joined device, which seems easy enough. We've implemented some Intune policies to enforce OneDrive & Printix silent sign-in. This works perfectly fine with accounts that don't have MFA enabled in the M365 admin panel. When signing in with a user that has MFA enforced on this device, they get a message that says something alon the lines of "Login again to resolve issues with your work or school account" and then they have to complete an MFA challenge, so the silent login policies don't work.

 

Is this expected behaviour or can this MFA request be turned off using Conditional Access policies? I've already made a policy with the help of MS support, but they haven't been able to solve this issue yet.

I've added screenshots of this CA policy in the attachments. Some other things to note and that I've tried already:

  • We use a DEM account to enroll devices
  • All regular users have MFA enforced in the M365 Admin panel (under 'Users > MFA').
  • Turning MFA off for a test users solves the problem, but this means I have to make some CA policies to require MFA on non-compliant devices, right? Is this approach less safe than enabling MFA for every user?
  • Microsoft Support was testing some CA policies, which didn't seem to work at all

 

Any help would be greatly appreciated!

3 Replies
best response confirmed by WarreVlieghe (Occasional Contributor)
Solution
Hi, If I am reading between the lines... You are enforcing MFA in the admin,microsoft.com portal
And you have a conditional access rule to make sure compliant devices dont get prompted for MFA

You should make sure you configure the mfa setting in the admin center to disabled and let conditional access do his job. (of course prevent legacy auth) You want to have some granularity

Hi, thanks for the quick response!

 

That's right, MFA is enforced in the admin.microsoft.com portal.

 

So what you're saying is to disable MFA for the user and use conditional access instead to ensure MFA? Is there any difference in security between enabling MFA in the admin portal or using CA for MFA?