Share via

macOS - Enforce MFA through Authenticator app instead of stored (SSO) token

Guus Bakker 20 Reputation points
2025-11-10T13:39:28.8733333+00:00

Hi All!

We're currently implementing CyberArk as an EPM Solution. But we're facing an issue with the Step-Up Authentication. If an app or process requires the user to validate their identity, CybrArk Step-Up Authentication will be presented. The user should login with their Microsoft Credentials. Now, on our macOS devices, we do also have the Enterprise SSO Extension in place. This is great since it takes care of a whole lot of sign-ins (currently testing with Platform SSO). Now, this SSO implementation stores the received token on the device and the Step-Up Authentication keeps using it, resulting in a Step-Up Authentication that only requires 2 clicks without actual asking for some authentication.

Question; Is it possible to force the App Registration to ask for the Authenticator? We've already spoke with MS themself and have been told that due to the fact it's using the Microsoft Graph, Conditional Access ain't no option. Are there possibly any other ways to enforce the App registration of CyberArk EPM to ask for the Authenticator instead of picking up the stored Token?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 4,245 Reputation points Microsoft External Staff Moderator
    2025-11-13T21:42:15.45+00:00

    Hello Guus Bakker

    Thank you for reaching out to Microsoft Q&A.

    Below are the Possible Workarounds

    1. Force Reauthentication via OIDC Parameters

    Configure the CyberArk EPM app registration to include prompt=login or max_age in the OIDC request.

    These parameters instruct Entra ID to ignore cached tokens and require the user to re-enter credentials (and MFA if configured).

    This is the most direct way to break silent SSO for Step-Up Authentication.

    For your reference: https://docs.cyberark.com/epm/latest/en/content/epm/server%20user%20guide/stepupauthentication.htm

    1. Use CyberArk Identity as External Authentication Method

    CyberArk can act as an External Authentication Method (EAM) in Entra ID.

    This allows you to enforce MFA at the CyberArk layer, independent of Entra ID token reuse.

    For your reference: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage

    1. Disable SSO for Specific Apps

    In the Enterprise SSO Extension profile, you can block certain apps from using cached tokens by adding them to the AppBlockList.

    This forces those apps (e.g., CyberArk EPM) to prompt for full authentication instead of leveraging SSO.

    For your reference: https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#more-configuration-options

    Please let us know the above steps helps you. Thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.