PIM Role Activation & MFA Enforcement
We are looking to implement PIM to better manage our privileged roles in Azure AD, however we are hitting a bit of a snag when it comes to MFA enforcement. Due to MS Partner Compliance, we need security defaults enabled which means we are also unable to use conditional access.
The issue we have is that if someone wants to activate their role, if they have already completed an MFA challenge in their session (such as logging into Azure in order to access PIM), they bypass the requirement to complete an MFA challenge. A workaround to this process is to use the approval process, but we would still like to have MFA actually work as described.
Has anyone else been in this situation previously and have any recommendations? Or is relying on a approval process the only solution available.
HI @DmacTP - you do not need to use Security Defaults when you are CSP Partner, Security Defaults is not the only option. As documented in the Partner Agreement you can also use other methods that ensure all user accounts are protected with MFA for any authentication to any service in this tenant - like a CA policy that ensure each user is forced to do MFA.
However, this will still not solve your problem, the only way to re-trigger MFA for a user might be to use sign-in frequency policies to trigger MFA e.g. after an hour again: Configure authentication session management - Azure Active Directory | Microsoft Docs
Still, if the user uses a AzureAD joined WIndows 10 device, or Hello For business, probably no MFA prompt would appear at all since MFA was already been done here - see “Why are my users not prompted for MFA as expected?” - Microsoft Tech Community
Question is why do you want to retrigger MFA, when user has just proven who they are by doing MFA?
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices