cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Double MFA when logging into Win10 with SAML-federated AAD identity

OrionJason
Brass Contributor

‎Jul 28 2020 06:35 PM - last edited on ‎Jan 14 2022 04:29 PM by

‎Jul 28 2020 06:35 PM - last edited on ‎Jan 14 2022 04:29 PM by

Double MFA when logging into Win10 with SAML-federated AAD identity

Our environment is predominantly Mac + GSuite. We have some users who need Office Apps but GSuite is our collaboration platform. We have a few Windows users. I followed this guide with a couple modifications to federate O365/AAD to GSuite with SAML.

 

While that works great for Mac users, Windows users have a few issues. I am managing Win10 laptops with Intune Device licenses and using that to enable Web Sign-in as well as mange device security posture and deploy a few applications. This allows users to log into their laptop with their AAD (Google-via-SAML) credentials. Google is enforcing 2-step auth so the user logs in with U/P and then 2FA. For some reason, even though MFA is set to Disabled for the user, they are prompted to set up (or use if they have already set up) Microsoft Authenticator to provide a 2nd factor to AAD. If they are disabled for MFA I have to enable their user so they can complete this step. I've looked at the Okta WS-Fed guide on how to signal AAD that MFA was used but have no idea how that might be accomplished in my scenario.

 

Once through the hoops the user sets up Windows Hello and it isn't really an issue with any frequency but it is really ugly and I want to fix it.

 

Is there a way to set all federated users to never be MFA-prompted while leaving MFA enabled for our non-federated admin user?

 

Thanks

2,487 Views
0 Likes
4 Replies
Reply
4 Replies
Vasil Michev

‎Jul 29 2020 09:32 AM

‎Jul 29 2020 09:32 AM

Re: Double MFA when logging into Win10 with SAML-federated AAD identity

You probably have Security defaults enabled: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

 

More generally speaking, Azure AD will honor MFA claims inserted by other IdPs, but I'm not sure if this is the case for G-Suite federation. 

0 Likes
Reply
OrionJason

‎Jul 29 2020 10:01 AM

‎Jul 29 2020 10:01 AM

Re: Double MFA when logging into Win10 with SAML-federated AAD identity

@Vasil Michev  I did enable Security Defaults as indicated in that link. I also went back in an toggled it back to No hoping that would take care of it but it did not change the issue. Once that setting is enabled, does toggling it off in the UI only revert some settings? Is there a list of what the security defaults are and their related Powershell commands to verify the UI un-sets them -or manually unset them as needed?

0 Likes
Reply
Vasil Michev

‎Jul 29 2020 10:04 AM

‎Jul 29 2020 10:04 AM

Re: Double MFA when logging into Win10 with SAML-federated AAD identity

The article lists what exactly Security defaults "translates" to, first paragraph on top. You wont see them in other parts of the UI.

0 Likes
Reply
OrionJason

‎Jul 30 2020 12:32 PM

‎Jul 30 2020 12:32 PM

Re: Double MFA when logging into Win10 with SAML-federated AAD identity

@Vasil Michev I see the list. I am having some difficulty finding a good way to determine the current state of those settings.

The group setting is off:

OrionJason_0-1596137418266.png

Specifically I want to make sure that these 2 are not enabled for the federated domain:

Requiring all users to register for Azure Multi-Factor Authentication.

Requiring users to perform multi-factor authentication when necessary.

 

Thanks

--Jason

 

0 Likes
Reply