Forum Discussion
Random MFA prompts from Universal Store Native Client
Good morning
Facing a rather bothersome issue at the moment. Our users are randomly being prompted for MFA authentication when they are not actively logging in somewhere.
At first they just figured their account was being attacked but when looking at the sign-in logs, I see all the attempts match an application 'Universal Store Native Client' which refers to the Windows Store for Business.
So in essence it's not an attack so that's good but the employee never sees anything on their PC about this login attempt. They just get the app notification or the call from MS and luckily they decline.
There does not seem to be a negative impact on the PC side but I'd like to find a way to avoid this prompt or make it so the employee knows where it's coming from.
I looked around in the cloud apps section of conditional access policies but cannot find anything in the app list related to the Store app.
Anyone have ideas on how to find a workable solution for this?
Cheers
Steve
Hi!
Can confirm that we have the same problem. Did a test yesterday where users got to test SMS and or APP authentication but it didn't matter.
Does not affect use but is an annoyance for users.
Yesterday I dug a but deeper in the sign-in logs and apparently, only our hybrid Azure AD joined devices are impacted by this.
The devices which are only Azure AD registered do not get prompted and have 'Success' for the Universal Store login with comment 'MFA requirement skipped due to registered device'
You'd think that the hybrid joined devices would also do this since that's a step up from being just registered.
I'll see if I can get MS support on this.
Hi,
I'm dealing with the same issue and I've been trying to explain Microsoft Azure support about this situation and they aren't that much of a help.
All they know is to say that the user need to change his password although I'm showing them that there isn't any breach and the attempt is being made from inside the organization and the cause for the MFA alert is due to the "Universal Store Native Client" or "Office UWP PWA" apps.
At one time I asked the technician what is even the Office UWP PWA app and he said to me "How should I know? you tell me what it is"
Following along here. Same issue here.
We're facing the same issue. Please keep us posted on how this develops.
Steve Hernou I have the same problem. I provided log sample to the MS Australia security lead today hoping with an insider we can get answers. In my case we block the UK in Conditional Access which is where all this traffic is originating from so we are safe but it's a frigging nuisance with all the MCAS alerts coming through.
Small update via one of the conditional access product managers.
- There is no way to individually target the 'Universal Store' app in the ca policies. It doesn't make sense for all apps to be individually targetable (due to underlying dependencies).
- A possible solution/workaround (depends on your point of view) and only if you have HAAJ devices would be to update your CA policy to 'require MFA or hybrid join' and combine this with WHFB.
Of course this requires (significant) changes in your environment depending on your current situation and implementing WHFB is a project in its own right.I have again asked if there's anything we can do in the as-is situation to alleviate employee frustration without lowering our current security posture.....update when I get info 🙂
This might be the last update for a while. Received confirmation from CA product manager that there's really nothing we can do to suppress these prompts (unless you want to change your existing configuration - see previous post).
They are getting in touch with the people from the Universal Store app to see what they can do in the future but we shouldn't expect anything short term.
Michael McLaughlin , can you 'tag' this article and update when there's news from Microsoft side please?
Thanks and happy holidays everyone
So far no news to report here. Haven't received feedback yet from conditional access product manager but I relaunched this morning.
Please share should you receive something useful from your side of the globe 🙂
Michael McLaughlinMicrosoft
Folks, I'm pulling in some of my colleagues from the conditional access team and we're looking at the situation. We'll share any results we find. Steve's summary above is accurate--in the examples we've looked at, CA is triggering MFA as the policies define.
