Additional MFA for PIM enablement

Question

Additional MFA for PIM enablement

Karthick G 101

Hi,

Azure AD MFA is configured with Okta, So MFA authentication happens when user try to login to Azure portal and we wanted MFA to pop up again when users are activating high privilege PIM in existing browser session is that possible ?

Accepted answer

1 additional answer

Your answer

Answer 1

AmanpreetSingh-MSFT 56,871 Moderator

Hi @Karthick G • Thank you for reaching out.

Azure AD PIM can be configured to trigger MFA on activation of a role only when the user has not already done MFA during the same session.

If the user has already performed MFA during the initial sign-in to the Azure Portal, this information is stored in the ESTSAuth cookies. When the user accesses the PIM service to activate the role, an access token is silently acquired using these cookies. The access token is then passed as the bearer token along with your call to api.azrbac.mspim.azure.com, as highlighted below:

When you decode the token, you will see that the amr claim contains the information about the authentication methods user has already performed which will contain MFA as well.

That way PIM identifies that the user has already done MFA and shouldn't be prompted for MFA again. If the user has not done MFA in the first place, amr claim won't include MFA and the user would need to perform MFA to activate the role, provided you have configured the below setting for the privileged role such as Global Admin as shown below:

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Karthick G 101 Reputation points

2022-06-03T13:32:56.073+00:00
Thanks for the reply @AmanpreetSingh-MSFT .

I have a follow up questions.

If the user is authenticated via 3rd party authenticator ( Okta ) can I also configure Azure MFA for PIM enablement since " Require Azure MFA " option is turned on.

For security reason if we need one more layer of authentication for Global admin is there any work around ?
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-06-03T17:56:56.313+00:00

@Karthick G • As you have Okta federated with Azure AD, tokens will be issued by Okta and sent to Azure AD. Upon receiving the token issued by Okta, Azure AD issues a new token and sets new cookies. If Okta provides the information that the user has done MFA and Azure AD passes that information in the ESTSauth cookies, MFA won't be triggered during the same session (as explained above).

If the MFA information is not stored in the cookies, MFA will be triggered for every Azure Service and not just PIM which won't be a great user experience. There is prompt=login parameter in OAuth that can force reauthentication (including 1st factor) but since we don't have the option to customize authentication requests for PIM, that won't help.

So, as per the design, I don't think there is any option or workaround to re-prompt for MFA only for PIM in the scenario where user has already done MFA during same session.
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2022-06-06T08:20:59.203+00:00

@Karthick G • Just checking if you have any further questions.
Karthick G 101 Reputation points

2022-06-06T15:05:20.847+00:00

Hello @AmanpreetSingh-MSFT , Thanks for the detail explanation.

Answer 2

Muhammad Amir Nadeem 5

In addition to role settings details. You can create CA policy with Authentication context and push notification and also changed the session frequency to every time and apply to users.

Share via

Additional MFA for PIM enablement

1 additional answer

Your answer