We have received a requirement from client where they want MFA to be imposed mandatorily incase a user accesses certain sensitive applications. Ex., I login to myapps and am prompted for MFA and land on the desired page. On accessing a certain app from myapp I should be again prompted for MFA(irrespective of how long it has been since I logged in).
With conditional access policies, though I attach 'Require MFA' on those applications, it doesn't prompt for MFA if I am already logged in and have a session.
Any pointers as to how to achieve the intended functionality?
I don't think you can achieve this, if the session of the user is existing, it will not re-enforce the MFA auth.
So if you want the re-auth with MFA, you must need to clear the session, the closest way is to leverage the sign-in Frequency policy, but you can only set it to 1 hour at least, after one hour, the user will be prompted to sign in again. Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. If Remember MFA on trusted devices is enabled, be sure to disable it before using Sign-in frequency.
Related
For our B2C Tennant we want to let our customers make use of the Microsoft Authenticator app. When doing research, we noticed that it was not possible to add the Authenticator App for existing users without disabling phone/text message authentication.
This is not an acceptable situation for us since that means that someone with customer credentials can take over the enrolment flow.
A MS engineer suggested the following:
The desired situation should be possible with a “Registration
campaign” -
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/RegistrationCampaign
Users will go through their regular sign-in, perform multifactor
authentication as usual, and then be prompted to set up Microsoft
Authenticator.
However, we enabled this option as described in the Documentation, but after an existing user signs in no Authenticator App Flow is started.
Does someone have experience how we can make this work?
As far as I know, even after enabling MFA if existing users don't receive authenticator app approval, please try below steps:
There is a chance of where your users selected “Stay signed in” while logging into their accounts. By doing this their devices will be treated as remembered device that suspends enabling MFA.
While enabling MFA if you set Remember MFA on trusted device , then the user won't get prompts until the duration expires
To resolve the issue, try clearing all old sessions history, by enabling “Revoke MFA sessions”
If the issue still persists, try enabling Re-register MFA, that asks the users to set up a new MFA authentication method when they sign-in.
For more reference, please find the below links :
Enable multifactor authentication in Azure Active Directory B2C
Manage user authentication options
I am using Azure services and Azure AD Free (my personal account).
I have setup a tenant and I am Global Admin. I have enabled Security Default in the tenant. Hence, I assume MFA is enabled for all the tenant's users.
When I signin to Azure Portal with Global Admin sometime I get not prompted for MFA; maybe is this because the browser send a cookie? Or maybe because MFA is not always triggered?
Also, if I open an incognito window I get prompted for a code, received via email. My question here is why email? As per MFA AAD doc the email method is NOT an MFA channel!
Please check if below are the reasons behind not getting the prompt for second verification even MFA is enabled:
Please check if you are a member of any exception group. To avoid lockout situation, Microsoft mostly suggest excluding global admin account while enabling MFA. If you done like that, remove your account from exception group.
There is also a possibility where you selected checkbox saying “Stay signed in” while logging into your account. Then it will treat your device as remembered device and suspends enabling MFA. Also please check below screenshot whether you have enabled this option (Remember MFA on trusted device). If you enabled that, you won’t get prompts until the duration of days you have given expires.
To remove all those sessions, enable “Revoke MFA sessions” which clears all remembered sessions history and asks for second verification.
As you already mentioned, MFA code won’t be sent via email.
From this Microsoft Doc,
Email address is only used for Self-Service Password Reset (SSPR) not
for authentication.
There is also a possibility where your password is expired and it’s sending you a code to your email to reset it as you have given it as recovery option.
NOTE:
As you are enabling Security Defaults, please note that you won't be getting MFA prompts every time. Azure AD decides when a user will be prompted for MFA, based on factors such as location, device, role and task.
For suppose, if you are accessing from different location and seemed suspicious means, definitely you will get prompt otherwise you won't. If you need MFA prompts in particular, make use of Conditional access policies that need Azure AD Premium licenses.
Now I have configured B2C tenant with Enterprise app with MFA with "User flow", confirmation with email.
Everything is ok, but we need to use this Mfa just once per day, so when users will log in in the morning they have to use their login, password, and email to get a verification code just for the first time, and the rest of the day when they log out and log in again they should use just login (username) and pass.
So, how to configure MFA for this?
I saw "Sign in frequency" in conditional access settings, but the documentation wasn't much helpful.
Any advice will be helpful, thank you.
we can manage authentication sessions with azure ad conditional access by configuring below options.
Configure sign-in frequency
Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. You can set the value from 1 hour to 365 days.
Configure persistent browser session
This setting allows users to remain signed in after closing and reopening their browser window. We support two new settings: always persist or never persist. In both cases, you’ll make the decision on behalf of your users and they won’t see a “Stay signed in?” prompt.
You can find more information here as well as steps to configure sign-in frequency.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency-and-multi-factor-authentication
I am looking to design an MFA policy in B2C that has a longer refresh token window (let's say 1 day) to avoid frequent MFA challenges, but have an elevated access portion of the application that requires more frequent MFA challenges because of the nature of the operations.
According to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow, it appears I can accomplish this by creating 2 B2C custom policies with different refresh token timeouts and set the session behavior to Policy.
Policy - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. For example, if the user has already signed in and completed a multi-factor authentication (MFA) step, the user can be given access to higher-security parts of multiple applications, as long as the session tied to the user flow doesn't expire.
My questions:
Is this the appropriate design to accomplish the goal or is there a more preferred approach?
Will this result in a user being double-MFA'd if they log in after 2 days of inactivity and immediately navigate to the elevated portion of the application? I think the answer is 'Yes', but want to confirm. Is there a way to avoid this double-MFA and have the policy recognize that an MFA was already triggered within its own window?
You might try setting Single sign-on configuration to Application and use the same with your 2 custom policies. This will allow the user SSO to be shared for any policy being used and should allow session expire time to be controlled by each one of them. Also, if user has passed MFA authentication it should not need to do it again.
I have a web application that authenticates with my B2C tenant with MFA turned on at the Sign-In Policy level [at this point MFA is disabled at User Level] and the policy is configured to use "username" to login. The application works fine and the user is able to login ... What I am trying to accomplish is to have MFA at user level meaning only certain users will be able to use MFA while others will be able to login without MFA.
The problem that I am facing is, when I turn on MFA at User Level and turn off MFA at Sign-In Policy level
mfa at user level
after the first password authentication screen the redirect to multi factor authentication screen where it asks the user to send code to is failing. Instead it is going back to the first password authentication screen and seems to be in a loop. When both MFAs are turned off, it works fine with the password authentication and user is able to login to the application. When both are turned on, it’s the same behavior where it goes back to the first password screen in a loop. Am I missing something here, or is it even possible to do this
Azure AD B2C does not have out-of-the-box support for user-level MFA.
The UI you referenced is from enterprise Azure AD, and while it shows up for Azure AD B2C as well, as you've noticed, won't work.
The best approximation to what you are looking for is having two policies, one with MFA and one without MFA. You would have to implement your own mapping table and for users through the appropriate policy.