Forum Discussion
Require MFA for AAD Hybrid joined devices
We are planning a rollout of 2000 new Windows 10 devices to the entire organization on a new domain as part of a merger and accompanying org name change. We have an onprem environment with DCs th...
Yup, that's pretty much it. Why do you think it's a security issue?
Bypassing MFA has our IT department concerned that (for instance):
1) Someone who gets access to an unlocked aad joined device can go directly to Office 365 (using a browser) without being challenged for MFA.
2) Malware will be able to directly attack and access Office 365 services
We understand that if the user for instance has connected Outlook and OneDrive on their pc and sync'ed the content, that MFA is effectively already bypassed, but we want to understand whether the threat surface becomes larger by AAD joining devices or whether our worries are unwarranted :).
1) Someone who gets access to an unlocked aad joined device can go directly to Office 365 (using a browser) without being challenged for MFA.
2) Malware will be able to directly attack and access Office 365 services
We understand that if the user for instance has connected Outlook and OneDrive on their pc and sync'ed the content, that MFA is effectively already bypassed, but we want to understand whether the threat surface becomes larger by AAD joining devices or whether our worries are unwarranted :).
Well with AAD joined devices, the device itself is considered the second factor, so you must take all necessary actions to secure it. Simply locking the device is enough, the PTA cannot be accessed unless a "gesture" is performed, so any other users trying to login to the same device will not be able to automatically access O365 resources belonging to the given user.
