Jul 28 2020
06:35 PM
- last edited on
Jan 14 2022
04:29 PM
by
TechCommunityAP
Jul 28 2020
06:35 PM
- last edited on
Jan 14 2022
04:29 PM
by
TechCommunityAP
Our environment is predominantly Mac + GSuite. We have some users who need Office Apps but GSuite is our collaboration platform. We have a few Windows users. I followed this guide with a couple modifications to federate O365/AAD to GSuite with SAML.
While that works great for Mac users, Windows users have a few issues. I am managing Win10 laptops with Intune Device licenses and using that to enable Web Sign-in as well as mange device security posture and deploy a few applications. This allows users to log into their laptop with their AAD (Google-via-SAML) credentials. Google is enforcing 2-step auth so the user logs in with U/P and then 2FA. For some reason, even though MFA is set to Disabled for the user, they are prompted to set up (or use if they have already set up) Microsoft Authenticator to provide a 2nd factor to AAD. If they are disabled for MFA I have to enable their user so they can complete this step. I've looked at the Okta WS-Fed guide on how to signal AAD that MFA was used but have no idea how that might be accomplished in my scenario.
Once through the hoops the user sets up Windows Hello and it isn't really an issue with any frequency but it is really ugly and I want to fix it.
Is there a way to set all federated users to never be MFA-prompted while leaving MFA enabled for our non-federated admin user?
Thanks
Jul 29 2020 09:32 AM
You probably have Security defaults enabled: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...
More generally speaking, Azure AD will honor MFA claims inserted by other IdPs, but I'm not sure if this is the case for G-Suite federation.
Jul 29 2020 10:01 AM
@Vasil Michev I did enable Security Defaults as indicated in that link. I also went back in an toggled it back to No hoping that would take care of it but it did not change the issue. Once that setting is enabled, does toggling it off in the UI only revert some settings? Is there a list of what the security defaults are and their related Powershell commands to verify the UI un-sets them -or manually unset them as needed?
Jul 29 2020 10:04 AM
The article lists what exactly Security defaults "translates" to, first paragraph on top. You wont see them in other parts of the UI.
Jul 30 2020 12:32 PM
@Vasil Michev I see the list. I am having some difficulty finding a good way to determine the current state of those settings.
The group setting is off:
Specifically I want to make sure that these 2 are not enabled for the federated domain:
Requiring all users to register for Azure Multi-Factor Authentication.
Requiring users to perform multi-factor authentication when necessary.
Thanks
--Jason