MFA is not enforced #223
Comments
|
Thanks for reporting this bug and help making aad-auth better. You are correct that as of now, MFA is not supported and enforced. This is something we definitively want to support in future release, but it needs quite some graphical work to display additional widgets and UIs in the graphical login manager. |
|
If the conditional access policy/multifactor condition is not met surely the user is not authenticated and the login should be denied? At the moment it is allowing sign in with the following noted in the Azure AD portal. 21/06/2023, 15:27:06 21/06/2023, 15:27:06 |
|
Even worse: When the MFA is enforced by the AAD backend, but never given by the user due to the successful login, this looks like a "PW of the user was compromised, but MFA saved the day" type of scenario to the AAD backend. This in return will increase the Identity Protection Risk Score of that user and by that – in the long run – results in blocking them. This is a major blocker for us, preventing adaptation into our managed corporate Linux client. |
|
You could implement the device code flow to provide some simple MFA capabilities. |
I wonder if the Identity Protection Risk Score for the user is still increased if the failed auth due to MFA requirement is immediately followed by a successful MFA from the same device? |
|
Adding MFA flow including FIDO2 is just a must! Something like GDM built-in Google Chrome capabilities so user will do SSO flow post username enter. I admit this is a huge ask, but this is a modern way of ZERO TRUST. |
Define technically "same device". It's easy on an MS Intune managed device. The browser sends along the device identifier and the backend can identify the device by that (and more). But on non-Intune managed devices it's just a device that's connecting accidentally from the same IP. |
So AAD domain join the device so you have a device ID. I'm working on this now in Samba and Himmelblau. I believe RH has started implementing AAD join in sssd also. |
|
Here's a spec I wrote up with instructions on how to domain join with AAD: |
|
You can see how I implemented AAD MFA in himmelblau here: https://github.com/himmelblau-idm/himmelblau/blob/main/src/common/src/idprovider/himmelblau.rs |
|
@didrocks refers to graphical functionality - does this mean that MFA is not supported for users logging in over a CLI session such as SSH or a headless system? |
Our Azure AD is configured to enforce MFA on all cloud applications. When logging in Ubuntu, there is no prompt for a MFA code, but the login is accepted anyway, even though there is a MFA policy error on Azure side.
Is MFA supposed to be implemented in this plugin?
The text was updated successfully, but these errors were encountered: