Forum Discussion
Require MFA on Azure AD joined devices
I have Azure AD joined devices that are managed with Intune.
We have setup conditional access with conditions;
- App=SharePoint Online
- Control=Require MFA
What we observe is that users on Azure AD joined devices are not getting prompted for MFA when they go to SharePoint.
Is there a way to enforce MFA everytime a user goes to SharePoint on Azure AD joined devices?
fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials. This fulfils the requirement for MFA, which won't be prompted separately.
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
This is also explained here:
"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls#microsoft-recommendations
There is some further discussion on this here. I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.
3 Replies
fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials. This fulfils the requirement for MFA, which won't be prompted separately.
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
This is also explained here:
"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls#microsoft-recommendations
There is some further discussion on this here. I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.
- https://jairocadena.com/2016/03/09/azure-ad-and-microsoft-passport-for-work-in-windows-10/ is a good explanation on this. Why do you need to MFA for access to sharepoint? Is it compliance reasons? The reason being you want password and MFA prompts to be minimal for users to prevent acceptance fatigue.
fatshark_2kyour AAD joined device classes as the secondary factor. Do you have Windows Hello for Business enabled as well?
