Mysteroius case of "Your Organisation Needs More Information To Keep Your Account Secure "

I had a mysterious case of the famous "Your Organisation Needs More Information To Keep Your Account Secure" that applied to new accounts that never used to trigger before, by the power of grey skull what is this all about, well if you do not know what I am talking about, its this:


This is the famous "multifactor registration" screen which will be trigged when you use a cloud application that is in the Office 365 umbrella or a Enterprise application that is part of a SSO requirement.

Conditional Access : The way it should work

The MFA process and the MFA Enrollment should these days be controlled by Conditional Access, as Conditional Access is an identity service that applies policy based on the user identity, nothing wrong with that, but remember Conditional Access need to know who you are before it can apply a policy to you.......

Conditional Access : Named Locations

That is the key here, however many organisation have a "named location" in conditional access that is excluded from the "networks" from the MFA enforcement, this is where the Named locations is located.....



However when you add a list of IP address ensure that they are not trusted unless you actually trust them, and by that I do not mean "least administrative effort" trusts....the red box indicates that here I do.......


Anyway I digress, this is just laying the foundations, if conditional access is applying the MFA and the MFA registration you will see in one of your many policies that under the "Grant" section you will have "Require multifactor Authentication" enabled, this will both control MFA usage and registration, sweet.


Review sign in logs

However when you review the sign in logs for the user you see this, which tells you that the sign-in is interrupted which means something has not been completed.......which is usually MFA, that weird....


If you look at one of these sign in entries you will notice that all the conditional access polices say "not applied" as below, how weird, or is it.......



So this tells us that something other than conditional access is forcing the MFA registration page, right well now we need figure out what that is, so to figure that out, pop yourself in the authentication tab on that request and you will see this:



Right so the cause of this is not conditional access, but Identity Protection, so we are looking in the wrong place, nice so lets pop to Identity Protection which first is Azure Active Directory or AAD...



Then once here choose Security from the menu......



Then from Protect you want Identity Protection........



Then from here you require the final option of Multifactor authentication registration policy as below:



Then you will see the option that is being forced in that login



Finally if you click on the users applied to, the bit where the black box is you will see
this, you will get a list of users and groups that this policy is applied to, you will not get a goofy looking bear, but that would be nice, right?


The list of people and groups, or more the group in the case will contain either a Active Directory (AD) or Azure Active Directory (AAD) group that will be forcing users in that group to complete multifactor registration which will be done outside of conditional access.

Conditional Access : Services outside the gatekeeper

Identity Protection is one of those services that sits before conditional access which means this particular policy (amongst others) will kick is before conditional access and the "Authentication tab" will tell you where this is being activated that is linked to the sign-in request.

In this particular instance the group added to this policy, which if you understand how it works should have not been added to the Identity protection policy as conditional access would have taken care of this without questions and issues.

If you use services that kick in before conditional access remember you cannot apply exceptions to these services, Identity protection is a fine example of this, remeber think long term about the groups you are blindly adding to polices and what the impact of that decision is further down the road.

Resolution

Remove the group from the Identity Protection policy and that gave control back to conditional access which no longer exhibited the issues outlined earlier, remember to fix issues you need to understand the technology stack end-to-end and not "bits of it".

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„