Option to enforce authentication every time you access a SSO app (e.g. SaaS app)
Add a option to enforce authentication every time you access a SSO app (e.g. SaaS):
- Option could be possible per app
- Option could be 1) re-enter password (ignore SSO) 2) guaranteed MFA prompt (ignore MFA token)
Shared PCs, Personal Logins, SaaS App has sensitive payroll data, Concern: People don't log off -> anyone can walk to the PC and get into SaaS app via SSO. As of now even MFA doesn't help due to MFA token or Windows Hello strong auth. You could only play with token life-time.
Thank you for your feedback. We will review this request. Kepp voting to help us prioritize.
Brett Korp commented
This is absolutely a critical feature.
Christian Bolfing commented
This feature is highly needed for securing critical accesses
Is this feature on any MS roadmap ?
We would also need this feature for several clients migrating apps on AzureAD.
Bryan Firestone commented
Is there any plan on implementing this feature? As others have stated this is a critical gap in how Azure MFA/CA functions with high security applications. The ability to ignore an existing token/session cookie and require an explicit MFA challenge is a gap that needs to be solved.
Jeffrey A commented
For us this is actually the most important missing component to Conditional Access. Our use case is similar to others' here - we have a small number of particularly sensitive/restricted applications available as SAML-based-SSO Enterprise Applications in AAD. We need for each access through SSO to trigger an MFA prompt that must succeed before a successful authentication to the target application.
Though we take precautions around the use of sensitive systems and accounts, some of these applications are line-of-business for some of our team, so routinely signing in and out of differently privileged AAD accounts would be very annoying. Deploying something like JIT VMs or similar just to access these sensitive web based applications would be serious overkill. Likewise, a firewall/security group mitigation isn't an effective strategy for us because more than one of these applications are from a third party where we don't have that kind of control.
David McCumber commented
This need to be implemented....
Very similar use case - some functions must force MFA before they can complete
Has anyone found a solution to this? We too need to force MFA for app access on Domain-Joined devices.
Thanks in advance.!
Morris, Douglas commented
Need this for MFA as well, critical security need.
Looking for this feature with VPN. Our security team wants users prompted for MFA on every connection attempt, regardless of device state and location. This needs to be added as an option for conditional access. always require MFA or ignore token.
Agreed - why is this not controllable?
If an admin sets a conditional access policy to "require MFA" the user needs to be prompted for it.
AzureAD should not be able to decide not to!
Thom McKiernan commented
I'm struggling to find a use case for this - sounds more like a people problem than a tech one after reading the examples here.
For the SaaS example, could just-in-time access to a VM or security group help people get over their use-case?
What is the status? From a security perspective this is incredibly important.
@Admin echoing everyone else here. We need a way to control how often MFA is required on an app basis. To clarify the use-case:
1) We generally want our users to be able to persist their browser sessions, (O365 services). Ideally we'd like them to login/pass once a day.
2) We want our users to confirm MFA on their (non-domain-joined) device every 7 days.
3) For critical apps (VPN, Citrix, Password Vault, ect) we want users to be prompted for MFA every time they open the browser/session, and not persist.
4) We don't want users to be prompted for login/pass or MFA if they are still in the same session/browser.
What we currently have available to us in conditional access is:
General CA Policy
1) All Cloud Apps = Always Persist
2) Sign-in Frequency = 7 days
Result - Users are prompted to MFA once every 7 days, if on a personal device, they will only be prompted to login/pass every 7 days. On a AD joined/registered device, they will login daily anyway.
Net Result - Increased Risk on personal devices (may not be locked, may be shared, now anyone can access the user's O365 services at any stage over the 7 days).
Restricted App CA Policy
1) Applies to Restricted App Only
1) Sign-in Frequency = 1 hour
Result - Users are prompted to login/pass, and MFA once every 1 hour. If they have MFAed for general purpose within that hour, they will NOT be prompted when accessing the Restricted App. Inherited 'Always Persist' means they wont need to login/pass either.
Net Result - A clearly unacceptable level of security for systems like password management systems, as well as potential for unwanted 'in session' prompting for login/pass and MFA.
I understand Persistence is shared across web apps and can accept that this can't change, but we NEED the ability to manage the frequency of MFA for Critical Apps, completely separately to the frequency of login/pass. Can you please advise if this feature is being addressed?
Martijn Spelt commented
What is the status of this request?
This is a must-have for business critical and/or confidential app's, and to maintain our information security principles with these SaaS applications.
This should be included. A must-have security feature
ditto for Eric and Kasper's comments
Emma Bailey commented
Exactly the same use case and reasoning as Kasper.
It's been a year since my last comment, and around 20 months since we sunk a buttload of time and money into setting up RRAS VPN, with Azure MFA and Conditional Access.
Since then, we've gotten a great article on the PRT. We've had a Microsoft employee blog about it in simpler terms and real-world scenarios.
Now, I think we deserve some controls on this.
We've seen that the Sign-In Frequency feature in Conditional Access works. I think it's time we get a control like that, but to dismiss MFA claims from the PRT.
Conditional Access has shown to be a strong framework, and I believe this would be a natural fit for Conditional Access.
Eric W commented
This is critical to us. We at my company are all in on Azure MFA and dynamic risk based CA policies. However there are just a few SAML apps we have that we can't allow for anything less then EVERY SINGLE TIME MFA. These include password vaults and access to our Tier-0 (domain admin) credentials (which we check in an out of a system).
So to be clear, we love things the way they are, but in some rare cases we need it to happen every time.
I would be THRILLED with a App Registration manifest option or a PowerShell command targeted at the app reg or enterprise app.