AnyConnect w. SAML (AzureAD) Azure MFA using Conditional Access?
I know that you can use RADIUS-authentication and install the NPS-addon for Azure MFA to get MFA however I am wondering if this is also possible when using SAML-authentication to AzureAD and then scoping the Cisco AnyConnect Enterprise App in a Conditional Access policy (which requires MFA)?
I've tried getting it to work, i.e.: * Created a policy that scopes both my user and the Cisco AnyConnect enterprise application
** The policy has: Grant: Require multi-factor authentication
When I check the "Insights & Reporting"-log and filter for that policy and the Cisco AnyConnect enterprise app I can see that the policy applies to my user (I can see my sign-in attempt) but my user is in the "Not applied"-category.
I tried creating a dedicated conditional access policy for AnyConnect (since the one I mentioned before has an additional parameter - session control) and with the dedicated policy my user was in the "Success" category.
Now I might be tired but I was expecting my user to be in the "User action required"-category (see below) since if the policy was enabled (it's currently in "report only"-mode) I would have needed to authenticate using my AzureMFA.
Now have I completely misunderstood "Require multi-factor authentication"; Does it actually prompt for MFA or does it simply require that the user has a MFA setup / is enrolled into MFA? If its the former then I don't understand how my login can be "Sucess" since it should have been "User action required" IF it isn't like this: Having Azure MFA on various services I might have already within some magic hidden timeframe satisfied that requirement i.e. I have authenticated with another service which requires Azure MFA. If it is the latter then I get that my login is a "Success" since my account is enrolled into MFA.
Personally, I think Azure Conditional Access is a pig when you have more than a handful of policies. It is difficult to see how policies overlap, and I have personally introduced security weaknesses when using Conditional Access by failing to think about how groups of policies interact with each other. It is easy to focus on the one new policy you are trying to create or edit, and forget how it changes the operation of existing policies.
Personally, I use Cisco Duo for most customers now. I consider it more secure because it is less prone to security vulnerabilities caused by inadvertent human error.
"Require multi-factor authentication" requires an MFA prompt if you are outside any configured session limit configured in any other policy that is applied to the user. For example, if you have a session limited configured for 60 minutes, and the user logged into Office 365 10 minutes ago, they will not get an MFA prompt for AnyConnect (or any other SAML application).
I think the session limit has a minimum configured limit of 60 minutes that you can not reduce. I could be wrong on this one.
I think it is impossible to force Azure to do an MFA prompt without any other strings attached using SAML.
I have had customers with Azure Conditional Access say they want an MFA prompt on every VPN login when using SAML - and I keep telling them this is not possible. It's an Azure AD restriction. If they want that they need to use another solution like Cisco Duo.
And the kicker is - Cisco Duo MFA is cheaper than Azure AD Premium 1.
Once you use something like Cisco Duo, you never want to go back to conditional access. It's yucky.
I really don't understand why my user seems to fulfill the MFA-requirement, checking the Conditional Access Sign-In Logs and searching for the correlation ID which I got when looking into my "Success"-event;
Activity Details: Sign-ins > Basic Info
MFA requirement satisfied by claim in the token
Activity Details: Sign-ins > Conditional Access
Policy Name: Not applicable
Activity Details: Sign-ins > Report Only
Enforce MFA (Cisco AnyConnect)
Require multi-factor authentication
Session Control: <blank>
So I get that if I had a session control on that conditional access policy it could have been satisified when logging into other O365-services but in this case that isn't configured and no other conditional access policies are applied. AzureMFA is also included in our user's licenses so we don't pay anything extra to use AzureMFA since the user's have a license that cover that for other infrastructure needs (Intune etc.).
The thing is that we basically don't want another MFA-service. It makes it harder for the end-users to use another app then Microsoft Authenticator and its another thing to administer.
We could go the NPS-route and install the AzureMFA-addon but that would introduce the following problems: * The AzureMFA NPS-addon forces ALL RADIUS-clients to use MFA
* RADIUS-servers are shared between IPSec-VPN and AnyConnect VPN meaning that I can't route AnyConnect to specific NPS / RADIUS-servers
I agree with Phillip. We use DUO mobile (first ten users are free) We pay 3.00 a user monthly, they use the built in Windows 10 client. You can have it authenticate against your AD and use MFA. DUO has multiple group policies you can set up. I like DUO for the log report, when a user says I cannot get on the VPN, I go to DUO log and see they never accepted the DUO push.