What I am testing
In order to force MFA, I created a very simple Azure conditional access policy:
User and group: all users
Grant: requires MFA
What I get
But this rule never applied.
What I did
I tester from WhatIf tool and from running Connect-AzAccount either.
When testing I discovered that if I apply:
Cloud apps or action: Office 365 (or whatever)
This time whatIf is triggered.
My question
Could anybody explain me this behavior? What I should do this?
Thanks
after watching your question, I started testing MFA in my tenant. I followed this document and it worked finally, and hope it would help you.
I created a test tenant for this scenario, and in azure ad, I need to disable Security default first, this doc show the operation.
And according to your description, it seems that your configuration didn't work, I assume that you may miss some steps. When adding Conditional Access policy, you need to add policy name, then choose affect scope(users and groups), select Cloud apps or actions(e.g. choose Microsoft Azure Management so the policy applies to sign-in events to the Azure portal), and you need to check the box for Require multi-factor authentication under Access controls->Grant.
Here's my configuration. And when I signed in azure portal with test user, it asked me to use phone to prove myself.
Related
I am currently developing an Azure Web App, which uses the Microsoft identity platform. Everything works fine as a single- and multi-tenant application. I only have one big problem, where I did not find any good solution, or at least best practices.
I would like the application to support multiple tenants. This means that I definitely need a multi-tenant application. Anyways, this allows ALL Microsoft users to access my Web App, which I highly do not want. The business plan is as follows: Businesses buy the subscription/product and then gain access to the application (initially manually).
At first I thought that there might be some sort of setting in Azure to manually white-/blacklist certain tenants directly in the portal. I did not find anything regarding this, but maybe I missed it.
My second thought is, that I have to implement the logic in the server directly. This should not be a problem, but are there already any existing resources you can use, regarding this? My idea was that after/before each redirect to a page, the server checks the database, if the tenant is allowed to visit the page. If not, a redirect to a "You are not allowed to visit this page!" page should happen.
Did I miss anything major here? I am 100% certain, that this is a somewhat common use-case and therefore am baffled that I did not find anything relevant regarding this.
Single-tenant applications can be accessed only by users who have an organizational account in the same AAD where the application is registered. Multi-tenant applications can on the other hand be accessed by anyone who has a valid organizational account.
The first time you try to authenticate to a multi-tenant application it isn't registered with your organization's AAD. You have to trigger the consent flow which will allow the user to login with their organizational account and grant the application the necessary permissions.
One way to solve your problem is by restricting access to tenants in Azure Active Directory. Check this document for detailed information.
Another way is by setting up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C. Check this document for more information.
I was trying to setup AzureAD connect between an onprem lab and azuread. I have done this countless of times, however for the first this is is happening. As soon as I am done entering all the configuration details and click configure. The installer first creates a synchronization account on AzureAD and then prompts me for credentials for that account. From my experience this should not happen. Is there any configuration I should check on AzureAD side? I tried doing this with a different AzureAD tenant and I was successful. Not sure what I should look for.
can you please confirm if you have any MFA policy being applied for all accounts? This issue normally happens when you have a conditional access policy that is applied for all the accounts, so, this account got automatically created and got the policy applied. If so, please exclude this account from that conditional policy and the issue should be solved.
I recently added an Azure AD B2C tenant to an existing subscription.
Whenever I want to manage that tenant on portal.azure.com, I have to verify my account:
After clicking Next I can only select Mobile app from the dropdown to verify my account. There is no option to verify by phone.
Since this tenant is new, I first have to register it in Microsoft Authenticator by selecting Set up:
This brings up an error message without Correlation ID or timestamp:
There are no Conditional Access policies. In fact, I cannot add any since this tenant does not have Azure AD Premium. Nor does the Azure AD tenant holding the subscription from which this AD B2C tenant was created.
MFA is only required when trying to manage the AD B2C tenant through portal.azure.com, not on other applications, and not when accessing the Azure AD tenant.
Questions:
How can I disable MFA for this AD B2C tenant? And why was it enabled in the first place?
If MFA cannot be disabled, how can I register my device or phone number?
Thx,
The issue is resolved. Not sure if Azure Support took action without notifying, or because of what I did.
Anyway, here are the steps I took:
On portal.azure.com, go to Azure AD > Users > Multi-Factor Authentication.
(It's in the top menu.)
The Multi-Factor Authentication page opens in a new browser window.
Enable MFA for the user account with the issue.
Logon with that account on account.activedirectory.windowsazure.com.
Click your account in the top-right corner to open a dropdown menu and select Profile.
Select 'Additional Security Verification'.
All verification options are available here, including call, text, or use mobile app (Microsoft Authenticator).
Complete the Additional Security Verification and make sure MFA works.
Go back to Azure AD > Users Multi-Factor Authentication, and Disable MFA again.
In our case, MFA was set to Disabled for all users but active anyway, both for local accounts in the AD B2C tenant and External Active Directory accounts.
MFA status of External Active Directory users cannot be changed on the Multi-Factor Authentication page of the AD B2C tenant. This has to be done in the Azure AD page of their respective AD tenant.
The problem is solved, but the cause is undetermined. We do not have an AD Premium subscription and should not have access to the MFA feature at all.
I think your answer #flip is part of the riddle. You're in effect pre-registering your phone number so when forced to setup MFA you're granted the additional TEXT options. We've noticed variations in the AAD join processes where sometimes you're prompted to enter a phone number prior to this step, and sometimes not.
For example if you log on to a device as a local user and join AAD as illustrated you can get both scenarios. I think the same is true for new build as in a previous Test we had to enter a mobile number but I can't recall exactly which scenario.
However, after several more days with Azure support we've managed to isolate root cause if anyone is interested. Turns out MFA IS being enforced through "Security Defaults" (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). MS have actually just updated their article TODAY to clarify.
In effect, disabling Security Defaults will stop the enforcement although be wary not to confuse the prompts with Windows Hello setup as we were (we tested by disabling completely via Group Policy). I'm convinced however this wasn't the case a week ago and something's been changed behind the scenes recently.
Bottom line, you're going to have to deploy MFA in some form to join AAD unless you disable Security Defaults. Not great for endpoint migration but at least we know where it's coming from now.
I think we may have partly figured this out. In our instance, disabling MDM User Scope allowed logon without any 'Additional Security Verification' being enforced. We don't have an InTune subscription either but this is under AAD > Mobility (MDM and MAM). It does mean however, devices aren't enrolled so where exactly MDM is picking up this configuration from is the next question. Will be putting this to Azure support when they call us again tomorrow!
Azure AD tenant comes with security default settings. You will have to disable this setting in the active directory.
Active directory > properties > Manage security defaults > toggle to No
this will disable the default MFA setup.
We have a custom web application which is hosted on a Hetzner server. The users get redirected to Azure AD to login when they want to access the site. Our goal is to enable MFA only for this application but it does not work. There is only normal login but no need for second factor.
We have added a custom cloud app in Azure AD and configured a policy for this app with MFA activated (no matter which client, location, etc.). When MFA is activated globally it works and the users have to enable/use second factor to get logged in by Azure AD. But with the policy it does not work.
The What-If tool says, that the policy is used. The Azure AD has a P2 license and for testing one user also has a Cloud App Security License.
Does anyone know why the conditional access rule is not taken into account?
I tested at my side, and everything was fine. Here is my conditional access setting:
Select users and groups
Choose the application
Set the grant access control
Enable the policy
Finally, when I tried to sign in to the web application, I will be asked to provide additional information. But, for other apps (Azure portal, Office portal and so on), I can still directly sign in.
Finally we found a solution for our web application.
Our application uses response_type code and used scope user.read when redirecting to Azure AD. We have added openid to scope and now the conditional access policy is executed.
I don't know why this fixes the issue, but maybe someone also falls into this trap and at least finds a solution.
I am trying to publish a website to Azure from VS 2013. It is always showing me the login screen with Organization account. Sometimes in between it shows both the options in the login screen i.e. using Microsoft account or Organization account.
Why it is not showing both the account options all the time? Any ideas?
This is probably not a definitive answer, but hopefully will shed some light on the situation.
Everything in Azure is linked to an Azure active directory. Azure uses a feature called Home Realm Discovery to determine the appropriate AAD instance for a user. Basically it runs several checks on the #xxx.yyy portion of your email/login id.
If it's xxx.onmicrosoft.com, then xxx is the AAD tenant.
Otherwise, it looks for any custom domain matching xxx.yyy and uses the associated AAD tenant.
Since Microsoft Accounts can be associated with multiple directories they can not be used for Home Realm Discovery.
My guess is that if VS doesn't know which directory you're targeting it forces you to use an org account so it can "discover" it. If it already knows the directory and just needs to authenticate you to it then it allows you to use either a a Microsoft account or an organizational account.
I have the same problem. VS2012 published to Azure using the same profile just fine.
I found this. It sounds promising. I'll test tomorrow:
http://www.nguyenquyhy.com/2014/10/an-error-occurred-while-creating-the-webjob-schedule/