If I implement CA policy there is no way to tie that to PIM activation right? The only option would be limiting MFA session of admins?
Thanks
David
Issue with PIM and MFA
We are moving are security to Privilege Identity Management and would like to force MFA when someone activates a role. The option is there see attachment but it does not work. If the user has already authenticated with MFA it will not force them to authenticate again.
Any help or suggestions here?
3 answers
Sort by: Newest
-
David N 6 Reputation points
2022-09-22T13:51:00.267+00:00 -
Vasil Michev 96,916 Reputation points MVP
2022-09-22T06:53:19.877+00:00 If the user has already succeeded an MFA challenge, the relevant claims will be stamped within the access token and honored by PIM and other services, so this is expected. If your idea is to always force MFA, there's no good solution currently - best wait for PIM to support authentication context.
-
JimmySalian-2011 41,926 Reputation points
2022-09-21T20:22:28.1+00:00 Hi,
Checkout the Conditional Access policy timeout frequency and persistent browser settings, explore that section - howto-conditional-access-session-lifetime
concepts-azure-multi-factor-authentication-prompts-session-lifetime
==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.