Jul 03 2019
12:42 PM
- last edited on
Jan 14 2022
04:38 PM
by
TechCommunityAP
Jul 03 2019
12:42 PM
- last edited on
Jan 14 2022
04:38 PM
by
TechCommunityAP
We are planning a rollout of 2000 new Windows 10 devices to the entire organization on a new domain as part of a merger and accompanying org name change.
We have an onprem environment with DCs that aad sync and federate via ADFS to Office 365 and we have enabled MFA for access to Office 365 outside the company’s network using conditional access.
Currently we are evaluating hybrid joining devices to AAD as well, to achieve sso from within the company’s network, but we want to make sure that MFA is still required from the outside, even on managed devices if we choose to hybrid join them.
Having read through a lot of documentation already, it is not clear to me whether this can be achieved or whether MFA will be bypassed for said managed devices when outside the network.
Our concern is for potential situations where a bad actor gets their hands on an unlocked device and can open up a browser and directly access any Office 365 service.
Can anyone shine a light on this? What do we need to do, if anything? Thanks in advance.
Jul 04 2019 04:36 AM
@AllanWithHi in order to address the issues you describe you need to identify your public IP's and add those in the "Trusted locations" tab. Then all other clients coming from an IP not in the list will be prompted for MFA.
However, CA will not block your account. So the credentials could still be leaked, although no access will be granted.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks
If your organization is using VPN such as Direct Access och Always-on-VPN you´re in another kind of tight spot given that the IP will always originate from your external IP.
Hope this helps
/Viktor
Jul 04 2019 12:04 PM
If the device is already authenticated and has a valid PRT, it will bypass any MFA requirements (having a PRT is considered the same as doing 2FA). They will still be prompted to perform MFA upon the initial device join, or when the PRT has expired.
Jul 08 2019 03:50 AM
Jul 08 2019 03:54 AM
Jul 08 2019 09:03 AM
Yup, that's pretty much it. Why do you think it's a security issue?
Jul 09 2019 05:33 AM
Jul 09 2019 09:20 AM
Well with AAD joined devices, the device itself is considered the second factor, so you must take all necessary actions to secure it. Simply locking the device is enough, the PTA cannot be accessed unless a "gesture" is performed, so any other users trying to login to the same device will not be able to automatically access O365 resources belonging to the given user.
Aug 11 2021 01:50 PM
@VasilMichev Hey Vasil, we think the security issue is that if the laptop is stolen and the password is compromised, the person automatically get access to all company resources. We understand the technical behind the scenes of a PRT. But if all we want is a second protection other than a password when the laptop is stolen, this does not satisfy it, correct?
Jul 19 2022 08:45 AM - edited Jul 19 2022 08:49 AM
@OECM_SupportUsing this logic, you also have the same problem if a smartphone is stolen and the PIN (which is even easier than a strong password) is known. The attacker would then have access to the MFA app and all M365 passwords, which are probably stored in the device's password manager. I would put the likelihood of someone stealing a smartphone and finding out the PIN higher than someone stealing the computer.
The moral of the story: users can lose either a device or its password without being hacked right away. But once they lose both at the same time, there's a real security problem. It would be best to instruct users not to write passwords on a sticker on the device :).