Report on MFA Status with Conditional Access
Is there any effective way to get a report of the actual MFA state of your users? I mean, the individual MFA state as well as MFA enabled via Conditional Access. It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced... However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them. Below Powershell snippet is the closest I can get. It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that. But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. Report: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade Has anyone figured this out yet? $user = get-msoluser -UserPrincipalName yourUserName@contoso.com $StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault [PSCustomObject]@{ UserPrincipalName = $user.UserPrincipalName ObjectID = $user.objectid DisplayName = $user.DisplayName AuthEmail = $user.StrongAuthenticationUserDetails.Email AuthPhoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber PhoneDeviceName = $user.StrongAuthenticationPhoneAppDetails.DeviceName AuthAltPhone = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber State = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" } PhoneAppNotification = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false } PhoneAppNotificationIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false } PhoneAppOTP = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false } PhoneAppOTPIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false } TwoWayVoiceMobile = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false } TwoWayVoiceMobileIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false } OneWaySMS = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false } OneWaySMSIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false } }Conditional Access per HostPool or RDP properties conditional on clients
Good day all, I am struggling with the RDP properties of our different host pools. Corporate policy states that nothing should be able to be redirected from the local device. Which is fine and for the Full Desktop publishing we have configured this so on the host pool in RDP properties. However, now we have a separate host pool for a remote app. This remote I would only like to be able to connect to from the desktop host pool (nested) and not from the local device. As this is a Remote App the users need to interact with this application with the clipboard. So I want to know if there is a method, and if not, request a feature to make this possible. With kind regards,
Conditional Access Policies. App control to allow/reject Canvas apps on App ID?
The documentation reads that individual Apps can be included or excluded from policy. It seems possible that specific Power App Canvas apps can be identified by App ID and excluded or included. We would like to define which apps can be used across the organisation can this be done? Could we identify say 10 app IDs that are acceptable and put this in a policy for the org or groups? Would this mean that even if a user shares an app that unless it's in the policy the shared user could not use it? Thanks Richard U.K
Compliant intune device don't pass conditional access policy
Hey, I'm having problems configuring conditional access for unmanaged and managed devices when accessing ressources. I'm using the prebuild sharepoint CA rules(these are showing up in the CA portal when restricted access is activated in the ahrepoint admin portal under access controll menu) and added the condition that these rules are not applied when a hybrid joined or compliant device tries to get access. Unfortuantely this doesn't work, similar if I use a hybrid joined device or an intune joined compiant device. When I check the login logs in Azure AD I can see that the rules are applied and the fields(managed, compliant, connectiontype) under "device information" are empty so it seems Azure AD can't access the device state from the device itself when ressources are accessed from it. Does anyone know this issue, can reproduce it or have any ideas what needs to be done? Thanks and regards!Windows Virtual Desktop Sign-in prompt
Hello all, We are getting ready to deploy Windows Virtual Desktops into our prod environment, but I have a few concerns with the authentication process. As of now I have a conditional access policy that will require a user to use MFA when subscribing to our host pool using the Remote Desktop client app. This is great, but the sign in prompts one time, then seems to cache the auth token. I am looking for a way to prompt for sign-in every time, or require the sign in to be available on a certain IP via conditional access. We are a hybrid AD configuration with well established policies to protect our resources requiring all external access to have MFA requirement. This bypasses this requirement. This seems like a potential issue if someone were gain access to a computer and just click right through into the hosted app that is readily available in the RD app. Is there something I might be missing to set this as an option that requires a user to auth every time? Thanks! -SammyF
How can I configure conditional access every time in a client app?
Hello. Even if close the client app, Azure AD credential will remain. Therefore, Azure AD authentication will not occur unless explicitly sign out of the client app. With this specification, conditional access will not useful in most scenarios. Are there any updates planned that accordingly require Azure AD authentication? I also found that I can reset Azure AD authentication by deleting the following registry value: === Registry Key : HKEY_CURRENT_USER\Software\Microsoft\RdClientRadc\https://mrs-prod.ame.gbl/mrs-RDInfra-prod Name : WebAccountIdStore === I will try to avoid this by scheduling a task to reset this value accordingly. What do you think about this? Is there another good way?Intune and Conditional Access
Hi All, I have been asked a few questions about Intune and Conditional Access and I was hoping to get some advice. The question I was asked: ***************** As discussed we have a situation that I believe MS InTune would address. That said, I don’t know what I don’t know, so your direction around the subject would be appreciated. We have migrated 99% of the e-mail estate to Office 365. Over the next month, we will migrate our home and shared drives. In migrating the e-mail users, we have found that a small percentage of the estate, ~20% (15-20 users), were using Corporate e-mail on personal devices. The devices vary from iOS, Android, Mac OSX, Windows. We need to have full control of e-mail residing on third-party devices. It needs to be secure; we need to be able to monitor and track the e-mails. Note, we currently use SOTI for Android device management. We will need to understand if there are any implications associated with coexistence. In parallel to the above, we need to develop our full e-mail policy. We would also need documentation and training on how to administer Intune once live. The documentation is essential. Hopefully the above gives you enough to start with. Please let me know what it would cost to get the above in place. Ignore licenses, I’ll deal with those. While writing, do you know of a way to prevent Office 365 users from downloading or printing from a browser, but only when outside of the corporate network? ***************** Do you know how I would use Intune and Conditional Access to achieve these requirements? I hope you can help, Alan
