Forum Discussion

Steve Hernou's avatar
Steve Hernou
Iron Contributor
Oct 09, 2019

Random MFA prompts from Universal Store Native Client

Good morning   Facing a rather bothersome issue at the moment. Our users are randomly being prompted for MFA authentication when they are not actively logging in somewhere. At first they just figu...
Azure Active Directory (AAD)
Identity Management
kentknuttes's avatar
kentknuttes
Copper Contributor

Steve Hernou 

 

Hi!

 

Can confirm that we have the same problem. Did a test yesterday where users got to test SMS and or APP authentication but it didn't matter.

 

Does not affect use but is an annoyance for users.

Steve Hernou's avatar
Steve Hernou
Iron Contributor
Oct 10, 2019

kentknuttes 

 

Yesterday I dug a but deeper in the sign-in logs and apparently, only our hybrid Azure AD joined devices are impacted by this.

The devices which are only Azure AD registered do not get prompted and have 'Success' for the Universal Store login with comment 'MFA requirement skipped due to registered device'

You'd think that the hybrid joined devices would also do this since that's a step up from being just registered.

I'll see if I can get MS support on this.

  • itai248's avatar
    itai248
    Copper Contributor
    Oct 13, 2019

    Hi,
    I'm dealing with the same issue and I've been trying to explain Microsoft Azure support about this situation and they aren't that much of a help.
    All they know is to say that the user need to change his password although I'm showing them that there isn't any breach and the attempt is being made from inside the organization and the cause for the MFA alert is due to the "Universal Store Native Client" or "Office UWP PWA" apps.
    At one time I asked the technician what is even the Office UWP PWA app and he said to me "How should I know? you tell me what it is" :xd:

    • Steve Hernou's avatar
      Steve Hernou
      Iron Contributor
      Oct 22, 2019

      itai248 nothingofnote 

       

      Well I got an MS support tech on the phone and I got a little bit more information.

      ******

       

      As you have not receive the Primary authentication prompt because the device is Hybrid Azure AD joined.  The Application uses WAM we see the application , Universal Store Native Client has a token to access Windows store for business. User is MFA enabled.

       

      As you have confirmed that this usually happens after a boot up process of the host machine, the MFA prompt is because of the below :

       

      If there is no MFA claim on the machine then Primary refresh token will use to authenticate user and MFA will be challenge to get MFA claim

       

      The application is running at the background(you can see under the Task Manager) and when a reboot happens, the application automatically tries to authenticate without the user interaction. The user is not presented by the Primary authentication page as the device is Hybrid Azure AD joined and it picks up the Windows credentials.

      -          As the MFA is enabled for the user account, the user is presented with a MFA challenge.

      -         To avoid the MFA prompts, try to disable the application from the Task Manager and reboot the machine.

      To confirm you again this is an expected behavior.

      *******

       

      I can sort of follow where they are going with their assessment were it not that we use CA to define when MFA should kick in and we have a few trusted IPs from which no MFA is required and it even happens when connected to those networks.

      They say 'try to disable the app from Task Manager and reboot' but anyone know the process for the Microsoft Store? 🙂

      • Michael McLaughlin's avatar
        Michael McLaughlin
        Icon for Microsoft rankMicrosoft
        Nov 20, 2019

        Steve Hernou I'm a program manager on the Azure AD team--I reached out in a private message for more information so our engineering team can take a deeper look at your issue.

Resources