PIM MFA Requirement different for Edge & Chrome

Thomas Deliduka 5 Reputation points
2024-11-27T15:21:32.3133333+00:00

Tags like MFA, PIM and Conditional Access don't exist so I can't add those up there.

We have setup PIM in our environment and setup a Conditional Access Policy to force an MFA prompt with every activation. However, Edge will do it but Chrome will not. Below are screenshots.

Chrome: it doesn't even get to the point where it recognizes that the policy applies to the person:

User's image

But with Edge, it does recognize the resource (as not configured) and it prompts properly:

User's image

How do I get Chrome to work? What is "Resource"? because I don't see it.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,450 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 150.3K Reputation points MVP
    2024-11-27T15:38:29.3233333+00:00

    What does your CA policy look like specifically? You typically set MFA activation within the settings of the PIM role, not with a CA policy ( and the CA policy is to set an auth context strength)

    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings#on-activation-require-multifactor-authentication


  2. Andy David - MVP 150.3K Reputation points MVP
    2024-11-27T16:01:44.9066667+00:00

    I don't think the session sign in frequency requirement makes sense here.

    Per the article:

    User's image

    If you want the PIM group to MFA each time they access Azure, I would create a different CA policy and enforce session requiriements there.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.