Forum Discussion

AllanWith's avatar
AllanWith
Iron Contributor
Jul 03, 2019

Require MFA for AAD Hybrid joined devices

We are planning a rollout of 2000 new Windows 10 devices to the entire organization on a new domain as part of a merger and accompanying org name change.   We have an onprem environment with DCs th...
Access Management
Azure Active Directory (AAD)
microsoft 365
AllanWith's avatar
AllanWith
Iron Contributor
Hello Vasil, thank you for the response and for pointing me in the right direction. Is what you are saying, the same as what they are describing here:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim
?
Essentially, that whenever a PRT requests a token, it does so by bypassing MFA or rather with the authority that MFA would grant it?

Do you see any security concerns in this approach in terms of bad actors getting their hands on an unlocked device? And what would be possible remedies?
VasilMichev's avatar
VasilMichev
MVP
Jul 08, 2019

Yup, that's pretty much it. Why do you think it's a security issue?

  • AllanWith's avatar
    AllanWith
    Iron Contributor
    Jul 09, 2019
    Bypassing MFA has our IT department concerned that (for instance):

    1) Someone who gets access to an unlocked aad joined device can go directly to Office 365 (using a browser) without being challenged for MFA.

    2) Malware will be able to directly attack and access Office 365 services


    We understand that if the user for instance has connected Outlook and OneDrive on their pc and sync'ed the content, that MFA is effectively already bypassed, but we want to understand whether the threat surface becomes larger by AAD joining devices or whether our worries are unwarranted :).
    • VasilMichev's avatar
      VasilMichev
      MVP
      Jul 09, 2019

      Well with AAD joined devices, the device itself is considered the second factor, so you must take all necessary actions to secure it. Simply locking the device is enough, the PTA cannot be accessed unless a "gesture" is performed, so any other users trying to login to the same device will not be able to automatically access O365 resources belonging to the given user.

  • OECM_Support's avatar
    OECM_Support
    Copper Contributor
    Aug 11, 2021

    VasilMichev Hey Vasil, we think the security issue is that if the laptop is stolen and the password is compromised, the person automatically get access to all company resources. We understand the technical behind the scenes of a PRT. But if all we want is a second protection other than a password when the laptop is stolen, this does not satisfy it, correct?

    • fabs73514's avatar
      fabs73514
      Copper Contributor
      Jul 19, 2022

      OECM_SupportUsing this logic, you also have the same problem if a smartphone is stolen and the PIN (which is even easier than a strong password) is known. The attacker would then have access to the MFA app and all M365 passwords, which are probably stored in the device's password manager. I would put the likelihood of someone stealing a smartphone and finding out the PIN higher than someone stealing the computer.
      The moral of the story: users can lose either a device or its password without being hacked right away. But once they lose both at the same time, there's a real security problem. It would be best to instruct users not to write passwords on a sticker on the device :).

Resources