-2

We are using 365 and setting up multifactor authentication.

My thoughts are that users using hybrid Azure AD joined devices already have an additional form of authentication which is the device. And given that a lot of my on site users are not technically gifted it would be preferable to forgo this for hybrid joined devices.

Now maybe this holds up, maybe it doesn't, I'm not sure. I don't know how an attacker could exploit this. But if I allow users using hybrid Azure AD joined devices not to require MFA then some users who only use a single company laptop may never be presented with the multifactor authentication setup screen and so MFA will never get setup. This in turn means if their account is compromised the attacker could exploit that.

I can of course run reports and chase people but I'd rather find some way of forcing this automatically. I don't believe there is one though.

Dave M
  • 4,514
  • 22
  • 31
  • 30
John Sayce
  • 7
  • 4
  • What's the question? – Sam Cogan Mar 25 '21 at 15:32
  • Is there a systematic way of enforcing MFA setup when this isn't required for users using hybrid azure ad joined devices? – John Sayce Mar 25 '21 at 16:02
  • What do you want to be the trigger for whether or not the user is asked for MFA? – Sam Cogan Mar 26 '21 at 09:17
  • I would like the user to be asked as soon as they use any 365 services. However in the case of conditional access, if I don't require it to log in on a hybrid azure joined device they won't be asked to set it up. It's something I would like doing once at first logon. – John Sayce Mar 26 '21 at 10:43

1 Answers1

0

The answer to what I was looking for is to use Azure AD Identity Protection and create a multifactor registration policy. This in turn requires and azure ad premium P2 license.

I found the answer in this blog post.

http://eskonr.com/2018/03/different-methods-to-setup-azure-mfa-registration-for-o365/

John Sayce
  • 7
  • 4