In this scenario, the Windows Autopilot provisioning process will timeout if the user does not respond to the additional MFA prompts. However, with the above change, users will experience additional MFA prompts during the Autopilot provisioning process if there are Conditional Access policies (that require MFA) for apps installed during the Enrollment Status Page (ESP), or if an installation or update requires a device reboot.
Previously, this initial MFA completion was sufficient for all subsequent scenarios where MFA was required. If you set the “Require Multi-Factor Authentication to register or join devices with Azure AD” option to “Yes”, Azure AD prompts users to complete MFA before joining or registering a device.
How does this impact the Windows Autopilot customer experience? Going forward, the MFA claim is not preserved after registration and users will be prompted to redo MFA for any apps that require MFA by policy. Previously, if a user completed MFA as part of their device registration, the MFA claim was carried over to the user state after registration was complete.
To provide greater security around MFA requirements, a change was made to the Azure AD authentication behavior during device registration. This baseline security change can slightly modify the experience in the Autopilot enrollment flow in specific scenarios where you use MFA, have multiple applications that require reboot during the enrollment process, and have Conditional Access policies enabled. When attempting to retrieve access to a protected resource after a session has expired, the user will be prompted for MFA if there is a security policy that requires it. This change will not impact existing Azure AD-registered devices until their sessions have expired or become invalid. With this change, we no longer honor MFA that was completed during device registration after the user logs in to their device instead we will require the user to complete MFA once more before accessing an MFA-protected resource in Azure AD.
To improve the baseline security for Azure Active Directory (Azure AD), we recently changed the Azure AD behavior for multi-factor authentication (MFA) that is completed during device registration. At Microsoft, we want to ensure that we are providing our customers with features that improve productivity and securely protect organizations.
0 kommentar(er)
