Forum Discussion

Steve Hernou's avatar
Steve Hernou
Iron Contributor
Oct 09, 2019

Random MFA prompts from Universal Store Native Client

Good morning   Facing a rather bothersome issue at the moment. Our users are randomly being prompted for MFA authentication when they are not actively logging in somewhere. At first they just figu...
Azure Active Directory (AAD)
Identity Management
Steve Hernou's avatar
Steve Hernou
Iron Contributor

Small update via one of the conditional access product managers.

 

- There is no way to individually target the 'Universal Store' app in the ca policies. It doesn't make sense for all apps to be individually targetable (due to underlying dependencies).

- A possible solution/workaround (depends on your point of view) and only if you have HAAJ devices would be to update your CA policy to 'require MFA or hybrid join' and combine this with WHFB.
Of course this requires (significant) changes in your environment depending on your current situation and implementing WHFB is a project in its own right.

 

I have again asked if there's anything we can do in the as-is situation to alleviate employee frustration without lowering our current security posture.....update when I get info 🙂

Steve Hernou's avatar
Steve Hernou
Iron Contributor
Dec 16, 2019

This might be the last update for a while. Received confirmation from CA product manager that there's really nothing we can do to suppress these prompts (unless you want to change your existing configuration - see previous post).

 

They are getting in touch with the people from the Universal Store app to see what they can do in the future but we shouldn't expect anything short term.

 

Michael McLaughlin , can you 'tag' this article and update when there's news from Microsoft side please?

 

Thanks and happy holidays everyone

  • Cowgirlup's avatar
    Cowgirlup
    Copper Contributor
    Dec 23, 2019

    Steve Hernou 

     

    I hope for a resolution as well. I had already turned off MSCommerceProductPolicies and have now turned off store in 'user owned apps and services.' To me this alone should break any association with Native Store and associated credentials as I have disallowed it to be so. Not to mention it is not a requirement to have an account to access Native Store nor should it. Unless you admin via Intune you are creating a local account as an admin to deploy user apps and features (probably). Hopefully we will see a fix to this as end user confusion runs high in my line of business. 

    • romanmensch's avatar
      romanmensch
      Copper Contributor
      Jun 15, 2021

      Is there already a solution or an update here? Nothing has been written for a long time. We have the same problem with business devices Win10 that are hybrid join Azure AD and users get an error. We have a test group that has Windows Hello and it doesn't appear there. Can it be beaten with stronger authentication? For example with setting a pin? We are very grateful for any suggestions.

      • neurotoxic's avatar
        neurotoxic
        Copper Contributor
        Apr 23, 2024
        It is April 2024 - same issue is occuring on Windows 11 - Hybrid Azure Joined devices. What is the solution?

Resources