Mobile Application Management and MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-359719%22%20slang%3D%22en-US%22%3EMobile%20Application%20Management%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359719%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20setup%20a%20CA%20policy%20for%20a%20test%20user.%20The%20user%20must%20use%20the%20required%20app%20and%20MFA%20to%20access%20Exchange%20Online.%20We%20also%20want%20a%20PIN%20number%20for%20the%20app%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20this%20setup%20work%3F%20If%20the%20user%20opens%20Outlook%2C%20should%20Outlook%20prompt%20for%20MFA%20and%20then%20the%20PIN%20number%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-359719%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359741%22%20slang%3D%22en-US%22%3ERe%3A%20Mobile%20Application%20Management%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359741%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174439%22%20target%3D%22_blank%22%3E%40Oliver%20Kieselbach%3C%2FA%3E%26nbsp%3B.%20I%20think%20the%20PIN%20number%20will%20probably%20satisfy%20everything%20really.%20Much%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359732%22%20slang%3D%22en-US%22%3ERe%3A%20Mobile%20Application%20Management%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359732%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20David%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyou%20can%20enforce%20MFA%20on%20the%20CA%20side%20or%20on%20the%20user-level.%20MFA%20in%20general%20does%20have%20a%20caching%20(refresh%20token).%20As%20long%20as%20your%20token%20will%20be%20flagged%20as%20strong%20authentication%20you%20don't%20need%20to%20do%20MFA%20again%2C%20so%20you%20can%20use%20the%20token%20to%20get%20access%20to%20something.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20do%20on%20top%20now%20Intune%20App%20Protection%20Policies%20(aka%20MAM)%20then%20you%20can%20enforce%20%22Access%20requirements%22%20for%20Outlook%20to%20prompt%20the%20user%20for%20a%20PIN%20on%20start.%20This%20would%20require%20the%20user%20to%20enter%20the%20PIN%20every%20time%20the%20user%20starts%20regardless%20of%20your%20authentication%20token.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20totally%20a%20valid%20setup%2C%20have%20seen%20several%20environments%20running%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

Hi all,

 

I've setup a CA policy for a test user. The user must use the required app and MFA to access Exchange Online. We also want a PIN number for the app itself.

 

Should this setup work? If the user opens Outlook, should Outlook prompt for MFA and then the PIN number?

2 Replies
Highlighted

Hi David,

 

you can enforce MFA on the CA side or on the user-level. MFA in general does have a caching (refresh token). As long as your token will be flagged as strong authentication you don't need to do MFA again, so you can use the token to get access to something. 

If you do on top now Intune App Protection Policies (aka MAM) then you can enforce "Access requirements" for Outlook to prompt the user for a PIN on start. This would require the user to enter the PIN every time the user starts regardless of your authentication token. 

This is totally a valid setup, have seen several environments running this.

 

best,

Oliver

Highlighted

Thanks @Oliver Kieselbach . I think the PIN number will probably satisfy everything really. Much appreciated.