question

yannara avatar image
0 Votes"
yannara asked yannara edited

Ask MFA if device is not compliant - not possible?

I am testing different Conditional Access policies with MFA, so I have 3 different policy;

  1. Office local apps -> device is compliant -> grant

  2. Office local apps -> MFA-> grant

  3. Office web apps -> MFA->grant

With these options, users with non-compliant device does receive MFA but are still not allowed in. But same user opening office.com from non-compliant device via WEB does get into Office web apps fine. I would like to archive the scenario, that if device is not compliant, MFA would pop-up for Office local apps. Not sure, is it even possible.

azure-ad-multi-factor-authenticationazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered yannara commented

@yannara Thanks for reaching out.

Under Office local apps policy, try this configuration and test :

117972-image.png

Let us know if this meets your expectation.




Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.



image.png (26.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, yea ofcourse this makes since. Not possible to test right now, but I will come back to this.

0 Votes 0 ·
yannara avatar image
0 Votes"
yannara answered

So I now have 3 policies;

  1. Block All Office local apps.

  2. Allow Office client apps without MFA if Device is compliant

  3. Allow Office web & client apps with MFA.

I see this user activity in pic below, but he still gets "You cannot access this right now".

118412-image.png



Fyi @vipulsparsh-MSFT


image.png (23.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered yannara commented

Just wondering here, does it make any since at all to target more than one Conditional Access policy to same user...?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@yannara If multiple policy gets applied to a same user, the most restrictive policy gets applied. Like if a policy ask for MFA, another ask for password change and last one says block, then the block policy will apply.

CA policies are always calculated for all policies and most restricted policy gets applied.

1 Vote 1 ·

Excelent, thanks!

0 Votes 0 ·
yannara avatar image
0 Votes"
yannara answered yannara commented

I also have disabled Security Defaults because I don't want MFA being applied to everyone. MFA is enabled per user. Currently the situation is, that MFA is not promted when it should.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@yannara What scenario are you talking about ? Can you give more details, when you use What If tool, does it say that the CA policy will get apply ? Read more about this tool here : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool

1 Vote 1 ·

@vipulsparsh-MSFT thanks for the support, I must come back to this next week. Maybe need to re-plan everything :)

0 Votes 0 ·
yannara avatar image
0 Votes"
yannara answered yannara edited

Okay, I think I got it... needed to redisign and re-thing this a little bit. Few tips I learned;
- AAD sign in logs has SOME delay, logs are shown later, maybe even 15min late.
-. Failure means the CA has denied the attempt, so you need to understand the difference
119041-image.png



  • MFA means also Fingerprint or PIN, so there not always would be Authentification app or sms code. I totally forgot about this.

  • In IP known locations, the external / public IP area matters, not the internal behind the NAT.


image.png (3.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.