Azure VPN with Azure MFA should require two-factor authentication every time it connects
We are using Azure VPN client with Azure MFA, and the client requires the second factor (code via SMS) only when the user connects for the first time. After that, every time we click on the VPN icon, the VPN client connects automatically, ignoring the MFA requirement, even if we log off the user or turn off the PC. It seems that, after the first authentication with MFA, the client turns into a "one-factor authentication" access, requiring only userid and password. If someone obtains the Windows credentials for a user, an attacker with access to the laptop can connect remotely to the VPN using only the Windows credentials, what does not look like a secure solution for remote access. We would like to see a behavior more like other VPN solutions, where users have to enter the second factor every time they connect to the VPN. Thank you.
I found a solution thats working for me. we use the xml file for the vpn connection to import. in the xml file is a section with "cachesigninuser" with a value of true. when we set this value to false and import the xml file, every login will asking for an MFA
Patryk Roliow commented
We are facing the same issue as the mention. but it seems it works if you never register the app and are using Work and school account every time you log on to the you will get MFA.
Niclas Skarnes commented
We have the same issue usun Azure Open VPN with Azure Active directory authentication with MFA.
We are using tthe Azure VPN application and if we import the .xml with the VPN settings and login for the first time we get the MFA. After that the users can just connect without any authentication as explaind abow.
If we remove the VPN conection from the Azure VPN app and reimport the VPN settings using the .xml provided by Azure we get the login agian.
If we chose the saved/remembered account we do not get the MFA, if we choose to login using a school or work account option and type in the exact same account as was on the list of remebered account then we get the MFA.