Skip to content
This repository has been archived by the owner on May 2, 2024. It is now read-only.

MFA is not enforced #223

Open
deguet-cintoo opened this issue May 9, 2023 · 11 comments
Open

MFA is not enforced #223

deguet-cintoo opened this issue May 9, 2023 · 11 comments
Labels
enhancement New feature or request

Comments

@deguet-cintoo
Copy link

Our Azure AD is configured to enforce MFA on all cloud applications. When logging in Ubuntu, there is no prompt for a MFA code, but the login is accepted anyway, even though there is a MFA policy error on Azure side.
Is MFA supposed to be implemented in this plugin?

@didrocks
Copy link
Member

Thanks for reporting this bug and help making aad-auth better. You are correct that as of now, MFA is not supported and enforced.

This is something we definitively want to support in future release, but it needs quite some graphical work to display additional widgets and UIs in the graphical login manager.

@didrocks didrocks added the enhancement New feature or request label May 10, 2023
@the365labs
Copy link

If the conditional access policy/multifactor condition is not met surely the user is not authenticated and the login should be denied?

At the moment it is allowing sign in with the following noted in the Azure AD portal.

21/06/2023, 15:27:06
Password in the cloud
Succeeded: true
Correct password

21/06/2023, 15:27:06
Succeeded: false
MFA required in Azure AD

@nsballmann
Copy link

Even worse: When the MFA is enforced by the AAD backend, but never given by the user due to the successful login, this looks like a "PW of the user was compromised, but MFA saved the day" type of scenario to the AAD backend. This in return will increase the Identity Protection Risk Score of that user and by that – in the long run – results in blocking them.

This is a major blocker for us, preventing adaptation into our managed corporate Linux client.

@dmulder
Copy link

dmulder commented Aug 15, 2023

You could implement the device code flow to provide some simple MFA capabilities.

@dmulder
Copy link

dmulder commented Aug 15, 2023

Even worse: When the MFA is enforced by the AAD backend, but never given by the user due to the successful login, this looks like a "PW of the user was compromised, but MFA saved the day" type of scenario to the AAD backend. This in return will increase the Identity Protection Risk Score of that user and by that – in the long run – results in blocking them.

I wonder if the Identity Protection Risk Score for the user is still increased if the failed auth due to MFA requirement is immediately followed by a successful MFA from the same device?

@bash-bandicoot
Copy link

Adding MFA flow including FIDO2 is just a must! Something like GDM built-in Google Chrome capabilities so user will do SSO flow post username enter. I admit this is a huge ask, but this is a modern way of ZERO TRUST.

@nsballmann
Copy link

Even worse: When the MFA is enforced by the AAD backend, but never given by the user due to the successful login, this looks like a "PW of the user was compromised, but MFA saved the day" type of scenario to the AAD backend. This in return will increase the Identity Protection Risk Score of that user and by that – in the long run – results in blocking them.

I wonder if the Identity Protection Risk Score for the user is still increased if the failed auth due to MFA requirement is immediately followed by a successful MFA from the same device?

Define technically "same device".

It's easy on an MS Intune managed device. The browser sends along the device identifier and the backend can identify the device by that (and more).

But on non-Intune managed devices it's just a device that's connecting accidentally from the same IP.

@dmulder
Copy link

dmulder commented Nov 27, 2023

Define technically "same device".

It's easy on an MS Intune managed device. The browser sends along the device identifier and the backend can identify the device by that (and more).

But on non-Intune managed devices it's just a device that's connecting accidentally from the same IP.

So AAD domain join the device so you have a device ID. I'm working on this now in Samba and Himmelblau. I believe RH has started implementing AAD join in sssd also.

@dmulder
Copy link

dmulder commented Nov 27, 2023

Here's a spec I wrote up with instructions on how to domain join with AAD:
aad-join-spec.pdf

@dmulder
Copy link

dmulder commented Nov 27, 2023

You can see how I implemented AAD MFA in himmelblau here: https://github.com/himmelblau-idm/himmelblau/blob/main/src/common/src/idprovider/himmelblau.rs
The code is a bit complicated, but here's the jist of it: Do a simple auth with acquire_token_by_username_password. If this fails with the REQUIRES_MFA error, perform a DAG auth with acquire_token_by_device_flow (which prompts the user to complete MFA auth on another device, such as their cell phone).
SSSD is already doing this for MFA also.

@ToonSpinTUe
Copy link

@didrocks refers to graphical functionality - does this mean that MFA is not supported for users logging in over a CLI session such as SSH or a headless system?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

7 participants