I have MFA enabled…but I never get prompted on my PC

With the adoption of MFA (multi-factor authentication) ramping up significantly to help thwart BEC (Business Email Compromise), some people have noticed that the end-user experience isn’t quite what they expected when using their PC.  They aren’t getting prompted the first time each day they use their browser for Office 365, or even when their password expires.  This seems contrary to all of the Microsoft documentation, so what gives?

It comes down to whether your device is considered a trusted device. This could be because the PC is Azure AD registered or Hybrid Azure AD Device joined.  As such, the device is now considered a second factor and therefore meets the MFA requirements.  If you were to try logging in on the same PC from a private browser session, you’ll notice it performs the MFA prompt as expected because the authentication is isolated.

I worked with various members of the Microsoft support team on this issue, providing logs and other datasets to them.  After almost 4 months of back and forth, they determined it was “by design” and just lacked the proper documentation around it.  They didn’t want to incorporate it in the main list of authentication methods for whatever reason, but it is listed on their “Azure Active Directory device management FAQ.”  Hopefully, sharing this resource will give some others a fighting chance when designing a solution and the functional outcome isn’t matching up with expectations.

If you’d like to investigate MFA or conditional access, or want to learn how to become aware if a mailbox is compromised, email info@peters.com.  We are happy to help.

By |2018-12-18T11:09:54-05:00September 21st, 2018|Advisory Services|Comments Off on I have MFA enabled…but I never get prompted on my PC

About the Author:

John has been with Peters & Associates for over two decades. Over the years, John has diligently worked on the delivery of solutions matched to organizational business issues. As technologies have evolved, John has adapted skill-sets to continually exceed customer expectations and outcomes. John is a DePaul University alum with a Master’s in Computer Science with minors in Math and Physics. John’s capabilities are validated by industry certifications and accolades including CISSP, CCNP, MCSE, and many others. John has primary mentoring and managerial responsibilities over a dedicated engineering staff. With client satisfaction as a guiding star, John aligns delivery, escalation, consistency, and on-going training to make sure customers receive value day-in, day-out.