Forum Discussion
Require MFA for AAD Hybrid joined devices
We are planning a rollout of 2000 new Windows 10 devices to the entire organization on a new domain as part of a merger and accompanying org name change. We have an onprem environment with DCs th...
If the device is already authenticated and has a valid PRT, it will bypass any MFA requirements (having a PRT is considered the same as doing 2FA). They will still be prompted to perform MFA upon the initial device join, or when the PRT has expired.
- Hello Vasil, thank you for the response and for pointing me in the right direction. Is what you are saying, the same as what they are describing here:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim
?
Essentially, that whenever a PRT requests a token, it does so by bypassing MFA or rather with the authority that MFA would grant it?
Do you see any security concerns in this approach in terms of bad actors getting their hands on an unlocked device? And what would be possible remedies?Yup, that's pretty much it. Why do you think it's a security issue?
VasilMichev Hey Vasil, we think the security issue is that if the laptop is stolen and the password is compromised, the person automatically get access to all company resources. We understand the technical behind the scenes of a PRT. But if all we want is a second protection other than a password when the laptop is stolen, this does not satisfy it, correct?
