SOLVED

MFA using Conditional Access Policy

Contributor

Good Morning!

 

I am testing MFA with Conditional Access (CA)Policy. If users login to OWA, Outlook, or Skype from an untrusted IP address (I created lists of IP addresses in "Named Locations" and have these lists in the Exclude section of requiring MFA), the user will be prompted to setup MFA and login using MFA authentication.The policy works.

 

I have questions on using MFA with CA policy:

 

1. Is there a way to determine if users enforced MFA (actually setup MFA) for their accounts if MFA was applied by CA policy? When test users enforced MFA in their accounts, the Azure MFA admin still showed their accounts as "Disabled" MFA state; When I ran the powershell command to check their MFA status, their status did not show "Enforced" either.

 

On other users that I have enabled MFA via the Azure MFA admin, or via powershell, and they actually setup MFA for their accounts, I can see that their MFA status changed from "Enabled" to "Enforced".

 

I would like to know how I can check which users actually setup MFA on their accounts, if we use MFA via CA policy.

 

2. How do you require users to setup (enforce) MFA for their accounts while logged into the trustedIP list of networks? This is preferred, instead of employees waiting until they are logging to O365 apps to setup MFA from an untrusted network.

 

My concern is that not all users will immediately setup MFA while logged in to O365 from a trustedIP.

 

If an employee has not yet setup MFA for their account, and an attacker gets their login credential and logs in to O365  from an untrusted network, the attacker will be prompted for the MFA setup and can then configure MFA for the employee (of course, using the attacker's preference for MFA).

 

Thank you in advance.

 

Emy

 

 

 

 

4 Replies
best response confirmed by Emy Loanzon (Contributor)
Solution

Communication is key, as with most security-related issues. Once you start the rollout (or even some time before it), ask your users to go to aka.ms/proofup and configure their MFA details. As for checking, I guess the best way would be to check whether the relevant details are populated under StrongAuthenticationUserDetails. Although if the user has only configured the App, I don't think this will show there. Oh well, I guess once the new MFA/SSPR API is out we will have a better solution.

Thank you, @Vasil Michev.

 

Yes, communication is key for implementing additional security, such as MFA.

Informing users to access aka.ms/proofup is a good option to enforce MFA registration. I gave it a try and will consider it as an option for our MFA roll out.

 

Going back to our company scenario, where MFA will be rolled out using Conditional Access (CA) policy based on TrustedIPs, I think I found a way to determine if a user setup MFA or not. The results are based on the tests I did with accounts that I enabled for MFA manually and ones that setup MFA via CA policy. It is by no means perfect. Monitoring if accounts applied MFA via CA policy will be a challenge, until Microsoft provides the tools to do so. What I did:

 

1. When a user's MFA account properties are manually changed from Disable, to Enable and then Enforced, the MFA state shows "Enforced" when I use this PS command:

 

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | select UserPrincipalName,@{N='MFA State';E={($_.StrongAuthenticationRequirements.State)}}

 

Sample Output:

UserPrincipalName       MFAState

Test1                             Enforced

 

2. But when I an account uses the MFA Conditional Access (CA) Policy to setup MFA, and I run the same command, the results show the following:

 

UserPrincipalName       MFAState

Test1                             Enforced

Test2

 

MFA Status is blank in PS, and shows still as disabled in the Azure MFA user admin.

 

3.To really verify that Test2 enforced MFA via CA policy, I wanted to disable MFA on Test2 and then have it setup MFA via CA policy again. How do I disable MFA on Test2 is Azure AD MFA shows its MFA as disabled and PS shows its MFA status as blank?

 

Using the MFA admin portal, for Test2, I checked the  "Require selected users to provide contact methods again" and the "Delete existing app passwords" for the user's MFA settings resets MFA for the user.

 

After resetting these MFA settings for the user, I ran the PS command I used before and Test2 is no longer in the list of users that have MFA enforced. So MFA has been reset.

 

4. Applying the MFA CA policy on Test2, I configured Test2's MFA. Now when I ran the MFA PS command above, it shows in the list, but no MFA status. But it shows that MFA has been enforced - and it is very likely because of the CA policy applied on Test2.

 

To double-check, I looked up the MFA status of Test2 in Azure AD Sign ins, it showed that MFA sign-in was successful, MFA was required and enforced on this account.

 

Running these tests, it appears that if MFA is applied using CA policy, the user MFA state changes to "Enforced" even if the PS command does not show the MFA status of the user.

 

Moving forward, I think I will use that MFA PS command and run it as a scheduled task that gives me a report, let's say every hour. The user account names that are in that list tells me who actually setup MFA for their accounts via CA policy (even though the MFA status does not show as enforced in the PS command).

 

I can double-check the names in that list and the results in "Azure AD - Sign-ins - user (type in userID)". The results include columns for Sign-in Status, MFA Required, MFA Result. The "MFA Required" shows "Yes", "MFA Result" should show "MFA Requirement satisfied by claim in the token".

 

Not the method of confirmation that I am hoping to use to check if users setup MFA using the CA policy, but something to have until Microsoft provides better tools to manage and report on MFA as applied with CA policy.

 

I hope this helps other admins faced with determining if MFA was applied via CA policy on user accounts.

 

 

 

 

 

 

 

 

Incidentally, the MFA/SSPR convergence (preview) was announced today, and the new API should follow up soon. This should hopefully solve or similar issues.

I Also saw the message that announced the registration experience for MFA and SSPR.  Does anyone know what changes ?  also hos is it different from the profile page in Myapps,microsoft.com?