Most organizations have understood the need for securing cloud identities with a second factor of authentication like Azure Multi-Factor Authentication (MFA). Still, a lot are doing it wrong. It is not complicated to do Azure MFA the right way with using Microsoft Intune and conditional access. Spend 20 minutes on this session and see how to protect all cloud apps and identities with a few simple steps.
Watch out that short but informative 18 mins Session from Ignite 2018 on How to get started with Azure MFA the right way:
I recently worked on a project to secure access to Azure AD integrated applications for external identities using conditional access.
The main goal was to grant external users access to 2 application but require Azure MFA and block access to all other applications (even new one’s that may be integrated in the near future), for example the Office 365 services.
So I created 2 conditional access policies for that scenario:
All Guest Users + Include the 2 apps to grant access for, Allow but require Azure MFA
All Guest Users + All apps (except the 2 apps to grant access for), Block
All works as designed and required but after testing with my guest account there, I tried to remove myself from the tenant via the Access Panel (https://myapps.microsoft.com)
But that failed due to permission error (Don’t have access to that application).
As you can see from the screen above you need to login to the foreign company again, where you are invited to. Doing so leads you to the Access Panel of that foreign company which of course is blocked because of the conditional access policy.
Sadly there is currently no application entry for the Access Panel so we cannot exclude that app from conditional access.
Currently the only way around it to not use “All apps” instead select all registered apps in the include list and build a proper manual process to include new applications that may be registered in the future.
I already reported this to the product group as an issue as this feature was introduced also because of GDPR is should be available even if I block access to all apps.
While Azure MFA has many good capabilities there is currently one thing you cannot do, which in may be important for some customers, and in fact I already heard that from them.
The missing part is to ONLY force the user to register for Azure MFA without enable it on the whole account on any login.
Ok, ok, it’s not 100% true, as you can purchase a Azure AD Premium P2 license and use Identity Protection to force registration only, but for sure, no customer want to buy a P2 only for that particular feature as is might be very expensive depending on the amount of users you have.
But now, or in the near future, to be correctly, there is an new way to do so. And the solution is the new converged experience for Azure MFA and SSPR (Self Service Password Reset) currently in an opt-in public preview.
While I setup hybrid joined devices with ADFS authentication enabled a lot of time, which worked mostly well with the documents provided by Microsoft, I recently worked on a project where we need to join Windows 10 devices to Azure AD in an Password Hash Sync with Seamless Single Sign-On scenario.
While you don’t need to synchronize Windows 10 clients with Azure AD Connect as devices in AAD when using ADFS authentication, I found out that it is a requirement for joining devices in an PHS/SSSO scenario which is of course stated in the documentation:
Verify that Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OU), then these OUs need to be configured for synchronization in Azure AD connect as well.
Why do I need this:
While in an ADFS setup we have the additional claims for devices authentication this, of course, will not work in a PHS or PTA with SSSO scenario, so the devices need to be able to authenticate, because it joins Azure AD in the context of the machine account.
This only applies to Windows 10 devices, because:
Windows 7 and 8 can not be synchronized with Azure AD Connect
Windows down-level devices join in the user context of the logged in account.
If you get the following error when running
dsregcmd /status /debug
you are maybe missing the device sync with AADC:
get_DefaultWebAccount returned nullptr. Default account is NOT set.