Multiple conditional access / MFA questions
Hi all, I've configured Conditional Access to require MFA when connecting to O365 services. I have some qustions about this, all seems to work fine. But; - The Native iOS mail app for some users seem to work for one day only, they stop syncing and are not asking for MFA / credentials. All devices have iOS 12+. - The windows / mac devices are not Azure AD joined, so Teams, Outlook and OneDrive are all requiring MFA. I've added the ability to remember MFA on devices they trust for 30 days. But, for example for teams there is no options to remember this for 30 days, is this bound to a device? So if you choose 'remember for 30 day's' on Outlook it will remember it for all apps? If yes, do they need to enter MFA for all apps every 30 days? Or, if no do they need to enter MFA every day? (doesnt seem so). - I can't test this right now but people tell me they did not choose 'remember for 30 day's' and did not had to enter MFA today. Conditional access is setups as (see attachment) Does this have anything to do with tokens? Cheers..
How to logon with Azure AD credentials on a Windows 10 device with MFA enabled
Hi together, maybe one of you have got the same requirements and run into the same problem. situation: Windows 10 enterprise or windows 10 s Microsoft Intune Cloud (EMS) Microsoft Multi-Factor Authentication (MFA) on-premises handled by ADFS (internal no mfa, external (wap) force mfa) Company Wifi protected with certificates Credentials from Azure AD Problem 1: As far as I have found, Intune is only able to deploy user certificates (SCEP profile) for wifi on windows devices. This causes us that you initially can only logon with your azure ad credentials to a windows machine if you have plugged in the company network or you have a public wifi connection with no authentication, so that you can connect to a wifi on the logon screen. Does anyone managed to deploy client certificates with Intune? Problem 2: As mentioned above we use MFA on-premises and it’s handled by adfs. If a user authenticates from external (over wap) we force mfa on adfs side. This is fine for web applications and other apps but it seems that windows logon cannot handle mfa request and therefore it fails. Does anyone know if this can be achieved somehow that this scenario works? Could this be handled by conditional access? The goal should be that we can use a windows 10 enterprise or windows 10 s device with azure ad credentials which is authenticated to our company wifi network at logon screen already and that we can use multi-factor authentication somehow. Thanks in advance for any input!