Provide a Conditional Access option to choose whether or not to allow PRT to satisfy an MFA requirement.
Our position is that having MFA satisfied by claim via PRT and TPM creates CA Policy loophole.
When a device is hybrid joined to Azure AD and the TPM sensor has been enabled, the PRT is able to satisfy the MFA request from a Conditional Access rule. This creates a vulnerability as it bypasses the CA rules that are configured to intentionally and explicitly require MFA. An example of this is where a user has a laptop and has previously signed in successfully. If the valid user’s session were to become compromised, an attacker could operate within the trusted profile session. An approach we would like to take to thwart this scenario is to choose explicitly require an active MFA prompt that involves a human action (like approving via the Authenticator application) as an access condition when employees access a particularly sensitive application. When a Conditional Access policy is set to require MFA, we would like the option to require MFA regardless of the TPM/PRT token status for satisfying the MFA claim.
Register for Self-Assessment
we are very competitive in pricing. we are a qualified, accountant and bookkeeper
Offering UK Safe Segway Board at unobtrusive expenses. Buy humble UK Safe Swegways board from our online Segways accessible to be bought shop with all UK, UK Safe Segways as an unassuming retailer distributer supplier for hoverboards in uk .
segway hoverboard uk | UK Segways | Segways For Sale UK
Peter Gierveld - External commented
I understand and voted for this request.
However the motivation actually implies that another option to request an interactive (MFA) logon to happen, using Azure Cloud MFA or on-prem MFA for federated users. Just like the Authentication requests in SAML2.0 or OIDC allow you to do.
Owen Brown commented
We are having the same issue as well. We are not getting MFA for the user because they are using the PRT session and that token has satisfied the sign in. I want the users to get the MFA prompt when the CA says they should