Governing when users receive authentication prompts when authenticating to Azure Active Directory (Azure AD) is depending on more than one setting, on which functionalities are in use and also in which scenario you authenticate (Browser, Modern clients or other). Reauthentication can take place by asking for a single factor, like password, FIDO, the password less option in the Microsoft Authenticator app or by using Multi Factor Authentication (MFA)
So you might understand that how reauthentication must be configured really depends per company and per scenario, so luckily Microsoft provides options which you can configure.
You want users to reauthenticate more often when they come from a non-managed or non-registered device
You want users to reauthenticate more often when using a certain cloud application which you make available via Azure AD single sign on
You might want some users in your organization to authenticate more often than others based on their risk profile
In this article I’m going to explain the different options available and where to configure what setting so that you can govern your own reauthentication settings.
Disclaimer: This post reflects the status of assigning groups to Azure AD roles as of October 21, 2020. Functionality may change, even right after this post has been published.
With Microsoft Intune, there is a lot of focus on the Mobile Device Management (MDM) aspects of the product. This is logical because from a management perspective, if you manage a device using MDM, you can configure almost all settings remotely, something we as System Administrators have been doing for many years.
In many situations, just managing the Apps which you use to access your company data hosted in Office 365 is a more suitable solution, there are a couple of reasons for that.
Many companies who want to implement measures to protect their company data, already allow access to company data via email, apps but now want to manage that. End users, even the ones provided with a device owned by the company, use the device for personal usage as well.
Implementing a MDM solution for mobile devices, is far more complex and more intensive from a system management point of view, in many cases the MDM solution provides way more functionality than what’s really required (protect the company data)
Mobile Application Management (MAM) in some cases is a perfect way to let your end-users use their device the way they are used to, but also implement security measures which protect your company’s most valuable asset: The data.
In this article I will go into more detail of the MAM without enrollment (MAM-WE) functionality provided by Microsoft Intune/Microsoft Endpoint Manager.
Disclaimer: This post reflects the status of assigning groups to Azure AD roles as of October 10, 2020. Functionality may change, even right after this post has been published.
In August last year, I published eight articles in a series on Conditional Access, and later when finished I decided to bundle those articles in a paper which I made available on the TechNet Gallery. In March this year, Microsoft decided to retire the TechNet Gallery, so I had to find another solution to host this paper and some of the additional workflows and spreadsheets I posted as well. For now I’ve decided to host these on GitHub since that is an easy accessible location as well.
The articles I wrote at that time, will remains as is, and I’ve decided to update the paper once in a while to reflect the current status of Conditional Access. Even though some of the information in the articles is outdated, I still think that they can be of value.
Below I’ve summarized the articles I published last year:
While disabling this option for the end-users is recommended by Microsoft, and having a workflow in place to review any requests and approve if found valid is a more secure solution it introduced an administrative burden since each request must be reviewed by one of the defined users in the list of users to review admin consent requests.
In order to address this, Microsoft made some changes to the way the Admin consent workflow is working which allows an Azure AD administrator more control over which requests must be approved and which are allowed automatically.
Note: This post reflects the status of Admin consent as of May 22, 2020. Functionality may change, even right after this post has been published.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.