cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Password Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT

Himanshu Singh
Iron Contributor

‎Dec 20 2021 02:08 AM - last edited on ‎Jan 14 2022 04:00 PM by

‎Dec 20 2021 02:08 AM - last edited on ‎Jan 14 2022 04:00 PM by

Password Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT

My Scenario:-

 

  1. We are not synchronising password hash with Azure AD.
  2. We have federated authentication setup.

 

My Queries:-

 

  1. How does Azure AD senses/identifies when an user changes his/her password?

 

  1. Issuance of Azure AD tokens AT/RT/PRT are these some how related to om-premises Password Change task ? how please share all details

 

  1. Also it is seen when an on-premises user is changing password and device is Hybrid during Ctrl+Alt+Del sign in
    1. This is when machine is Authenticated using the certificates it is given by Azure AD for device authentication
    2. However then the user using this machine is at times is not prompted for MFA even when CA is enforcing MFA on every logon ?
    3. Is this known already ? what is/are the reasons ?
Labels:
1,157 Views
0 Likes
2 Replies
Reply
2 Replies
michael_moshkovich

‎Dec 20 2021 03:14 AM

‎Dec 20 2021 03:14 AM

Re: Password Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT

Hi,

Azure AD does not care if a password changed (unless you are using Identity Protection), the authentication is federated to your own IdP (AD FS or whatever other service).

regarding MFA, can you please elaborate? please note that there a lifespans for authentication and refresh tokens, and unless you configure session control in CA, some scenarios might not require MFA each time.

regards,
0 Likes
Reply
Himanshu Singh

‎Dec 20 2021 08:05 PM

‎Dec 20 2021 08:05 PM

Re: Password Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT

I explain again, either behavior is not consistent or its not understood clearly,

1. When machine is hybrid and it is restarted or user logs Off and is logging on, This is After Changing the Password, In my case passwords are changed thru a portal which is then updated-pushed in AD

a. The “Windows Sign” operation will get a PRT Token which will include the MFA token and then user will not be prompted for MFA ANYMORE! when accessing any service Mail, Teams, PowerBI etc...
b. This is based on this reading https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is...
c. And PRT includes MFA Claim here https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-d...

2. However when I test the same by clicking the “REVOKE ALL SESSSIONS” or Sign Out User from all application and then when the user signs in again he/she is being prompted for MFA, Why ?
a. It is true for both Outlook Desktop Client for Teams Desktop Client
b. or any BROWSER session too correct ?
c. But OneDrive for Business Client never prompts for MFA ?
d. Browser based sessions use WAM AND Desktop Clients use CloudAP Correct ?
0 Likes
Reply