Thank you for your feedback. We will review this request. Kepp voting to help us prioritize.
I need this for VPN through Conditional Access. Support said that our Hybrid AAD Joined machines get an MFA claim included in the Azure AD PRT.
If a user leaves their machine unattended in a foreign location, they have SSO to all Azure apps and VPN to on-premises.
We're not interested in MFA with Windows Hello for Business for this scenario, as we're dealing with machines with active user sessions. The machines themselves aren't that important, it's the VPN that we worry about.
The ideal outcome is that we can bypass the MFA token in the PRT and force the user to provide their preferred MFA method.
We’d love more input on what the challenges are with this scenario so we can understand more what needs to be addressed here.
We’d appreciate any more description of the scenario you could provide us at firstname.lastname@example.org.
29 votes6 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →Kasper commented
We want to integrate Conditional Access in our VPN profiles and we even made it work.
Guess what - we've set Azure MFA to remember devices for 7 days, and we want that for most other apps, but not a VPN for Pete's sake.. It doesn't give us the option to NOT remember devices.
We have to make the choice, either sacrifice usability of everyone else and require MFA on all devices, anytime they are outside our Named Locations/trusted ips, or to keep our current, inferior VPN vendor.
This is something that's a no-brainer to include in Conditional Access per policy. "Allow device to remember for [x] days" Yes/No.