Ask MFA if device is not compliant - not possible?

Pavel yannara Mirochnitchenko 12,586 Reputation points MVP
2021-07-26T12:23:15.53+00:00

I am testing different Conditional Access policies with MFA, so I have 3 different policy;

  1. Office local apps -> device is compliant -> grant
  2. Office local apps -> MFA-> grant
  3. Office web apps -> MFA->grant

With these options, users with non-compliant device does receive MFA but are still not allowed in. But same user opening office.com from non-compliant device via WEB does get into Office web apps fine. I would like to archive the scenario, that if device is not compliant, MFA would pop-up for Office local apps. Not sure, is it even possible.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,813 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2021-07-26T13:36:30.797+00:00

    @Pavel yannara Mirochnitchenko Thanks for reaching out.

    Under Office local apps policy, try this configuration and test :

    117972-image.png

    Let us know if this meets your expectation.

    ---------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

  2. Pavel yannara Mirochnitchenko 12,586 Reputation points MVP
    2021-07-27T19:07:29.427+00:00

    So I now have 3 policies;

    1. Block All Office local apps.
    2. Allow Office client apps without MFA if Device is compliant
    3. Allow Office web & client apps with MFA.

    I see this user activity in pic below, but he still gets "You cannot access this right now".

    118412-image.png

    Fyi @VipulSparsh-MSFT

    0 comments No comments

  3. Pavel yannara Mirochnitchenko 12,586 Reputation points MVP
    2021-07-28T06:47:31.01+00:00

    Just wondering here, does it make any since at all to target more than one Conditional Access policy to same user...?


  4. Pavel yannara Mirochnitchenko 12,586 Reputation points MVP
    2021-07-28T10:07:04.333+00:00

    I also have disabled Security Defaults because I don't want MFA being applied to everyone. MFA is enabled per user. Currently the situation is, that MFA is not promted when it should.


  5. Pavel yannara Mirochnitchenko 12,586 Reputation points MVP
    2021-07-29T09:35:55.17+00:00

    Okay, I think I got it... needed to redisign and re-thing this a little bit. Few tips I learned;

    • AAD sign in logs has SOME delay, logs are shown later, maybe even 15min late.
      -. Failure means the CA has denied the attempt, so you need to understand the difference
      119041-image.png

    -. MFA means also Fingerprint or PIN, so there not always would be Authentification app or sms code. I totally forgot about this.
    -. In IP known locations, the external / public IP area matters, not the internal behind the NAT.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.