Home

AAD Reauthentication/MFA enforcement

%3CLINGO-SUB%20id%3D%22lingo-sub-775217%22%20slang%3D%22en-US%22%3EAAD%20Reauthentication%2FMFA%20enforcement%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-775217%22%20slang%3D%22en-US%22%3E%3CP%3ECurrently%2C%20user%20authentication%20to%20Azure%20AD%20with%20MFA%20is%20only%20required%20when%20subscribing%20to%20a%20feed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20great%20if%20we%20could%20optionally%20flag%20host%20pools%20or%20specific%20remote%20applications%20with%20a%20requirement%20for%20user%20reauthentication%20against%20AAD%2C%20because%20this%20would%20allow%20to%20require%20MFA%20again%20and%20also%20cover%20the%20case%20of%20federated%20custom%20domains%20where%20AD%20FS%20%2B%20whatever%20custom%20authentication%2Fon-premises%20Microsoft%20MFA%20Server%2F3rd%20party%20MFA%20providers%20handle%20authentication.%20This%20would%20allow%20for%20stricter%20security.%20Instead%20of%20a%20flag%2Foption%20on%20the%20e.g.%20a%20desktop%20app%20group%2C%20this%20could%20also%20be%20represented%20in%20the%20form%20of%20policies.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1083877%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Reauthentication%2FMFA%20enforcement%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1083877%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F382776%22%20target%3D%22_blank%22%3E%40CountZero%3C%2FA%3E%26nbsp%3B%3A%20Technically%2C%20you%20encounter%20an%20Azure%20AD%20prompt%20for%20each%20part%20(a)%20feed%20and%20(b)%20connection%20launch.%20However%2C%20as%20you%20notice%2C%20these%20are%20tied%20to%20the%20same%20Azure%20AD%20application%20so%20if%20a%20user%20prompts%20to%20get%20the%20feed%20(and%20there%20are%20no%20stricter%20controls)%20that%20token%20is%20valid%20for%20the%20connection%20launch%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20the%20suggestion.%20We're%20currently%20working%20on%20tighter%20integration%20with%20Intune%2C%20Conditional%20Access%2C%20and%20MFA%2C%20and%20a%20solution%20like%20this%20may%20be%20something%20we%20target.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20also%20post%20this%20on%20our%20UserVoice%20forum%20where%20we%20specifically%20look%20at%20it%20for%20features%2Ffunctionality%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fwvdfbk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fwvdfbk%3C%2FA%3E%20%3F%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
CountZero
Frequent Visitor

Currently, user authentication to Azure AD with MFA is only required when subscribing to a feed.

 

It would be great if we could optionally flag host pools or specific remote applications with a requirement for user reauthentication against AAD, because this would allow to require MFA again and also cover the case of federated custom domains where AD FS + whatever custom authentication/on-premises Microsoft MFA Server/3rd party MFA providers handle authentication. This would allow for stricter security. Instead of a flag/option on the e.g. a desktop app group, this could also be represented in the form of policies.

1 Reply

@CountZero : Technically, you encounter an Azure AD prompt for each part (a) feed and (b) connection launch. However, as you notice, these are tied to the same Azure AD application so if a user prompts to get the feed (and there are no stricter controls) that token is valid for the connection launch as well.

 

Thank you for the suggestion. We're currently working on tighter integration with Intune, Conditional Access, and MFA, and a solution like this may be something we target.

 

Can you also post this on our UserVoice forum where we specifically look at it for features/functionality: https://aka.ms/wvdfbk ? Thanks