Option to enforce authentication every time you access a SSO app (e.g. SaaS app)
Add a option to enforce authentication every time you access a SSO app (e.g. SaaS):
- Option could be possible per app
- Option could be 1) re-enter password (ignore SSO) 2) guaranteed MFA prompt (ignore MFA token)
Shared PCs, Personal Logins, SaaS App has sensitive payroll data, Concern: People don't log off -> anyone can walk to the PC and get into SaaS app via SSO. As of now even MFA doesn't help due to MFA token or Windows Hello strong auth. You could only play with token life-time.
Thank you for your feedback. We will review this request. Kepp voting to help us prioritize.
Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
I need this for VPN through Conditional Access. Support said that our Hybrid AAD Joined machines get an MFA claim included in the Azure AD PRT.
If a user leaves their machine unattended in a foreign location, they have SSO to all Azure apps and VPN to on-premises.
We're not interested in MFA with Windows Hello for Business for this scenario, as we're dealing with machines with active user sessions. The machines themselves aren't that important, it's the VPN that we worry about.
The ideal outcome is that we can bypass the MFA token in the PRT and force the user to provide their preferred MFA method.
Alexander Filipin commented
This ensures that the user accessing the application is actually the logged on user.