Forum Discussion
Random MFA prompts from Universal Store Native Client
Steve Hernou I have the same problem. I provided log sample to the MS Australia security lead today hoping with an insider we can get answers. In my case we block the UK in Conditional Access which is where all this traffic is originating from so we are safe but it's a frigging nuisance with all the MCAS alerts coming through.
Small update via one of the conditional access product managers.
- There is no way to individually target the 'Universal Store' app in the ca policies. It doesn't make sense for all apps to be individually targetable (due to underlying dependencies).
- A possible solution/workaround (depends on your point of view) and only if you have HAAJ devices would be to update your CA policy to 'require MFA or hybrid join' and combine this with WHFB.
Of course this requires (significant) changes in your environment depending on your current situation and implementing WHFB is a project in its own right.I have again asked if there's anything we can do in the as-is situation to alleviate employee frustration without lowering our current security posture.....update when I get info 🙂
This might be the last update for a while. Received confirmation from CA product manager that there's really nothing we can do to suppress these prompts (unless you want to change your existing configuration - see previous post).
They are getting in touch with the people from the Universal Store app to see what they can do in the future but we shouldn't expect anything short term.
Michael McLaughlin , can you 'tag' this article and update when there's news from Microsoft side please?
Thanks and happy holidays everyone
I hope for a resolution as well. I had already turned off MSCommerceProductPolicies and have now turned off store in 'user owned apps and services.' To me this alone should break any association with Native Store and associated credentials as I have disallowed it to be so. Not to mention it is not a requirement to have an account to access Native Store nor should it. Unless you admin via Intune you are creating a local account as an admin to deploy user apps and features (probably). Hopefully we will see a fix to this as end user confusion runs high in my line of business.
So far no news to report here. Haven't received feedback yet from conditional access product manager but I relaunched this morning.
Please share should you receive something useful from your side of the globe 🙂
Michael McLaughlinMicrosoft
Folks, I'm pulling in some of my colleagues from the conditional access team and we're looking at the situation. We'll share any results we find. Steve's summary above is accurate--in the examples we've looked at, CA is triggering MFA as the policies define.
I want to chime in on this thread, as we are seeing the same behavior. (Unfortunately, our MFA configuration is not CA-based, as we have not altered it from turning it up almost 2 years ago and "forcing" MFA for everything.)
The good part, as others mentioned, is that users are reporting an unknown authentication attempt as fraud. The bad news is the user has no idea what is triggering it, and the logs point to the Universal Store Native Client.I look forward to possible solutions.
