With the adoption of MFA (multi-factor authentication) ramping up significantly to help thwart BEC (Business Email Compromise), some people have noticed that the end-user experience isn’t quite what they expected when using their PC. They aren’t getting prompted the first time each day they use their browser for Office 365, or even when their password expires. This seems contrary to all of the Microsoft documentation, so what gives?
It comes down to whether your device is considered a trusted device. This could be because the PC is Azure AD registered or Hybrid Azure AD Device joined. As such, the device is now considered a second factor and therefore meets the MFA requirements. If you were to try logging in on the same PC from a private browser session, you’ll notice it performs the MFA prompt as expected because the authentication is isolated.
I worked with various members of the Microsoft support team on this issue, providing logs and other datasets to them. After almost 4 months of back and forth, they determined it was “by design” and just lacked the proper documentation around it. They didn’t want to incorporate it in the main list of authentication methods for whatever reason, but it is listed on their “Azure Active Directory device management FAQ.” Hopefully, sharing this resource will give some others a fighting chance when designing a solution and the functional outcome isn’t matching up with expectations.
If you’d like to investigate MFA or conditional access, or want to learn how to become aware if a mailbox is compromised, email email@example.com. We are happy to help.