I've been searching through various posts and blogs, but most of them are quite outdated and don't provide the answers I need. I'm trying to find out if there's a way to require multi-factor authentication (MFA) again when activating a Privileged Identity Management (PIM) role. Currently, I log into Azure with MFA, and when I go to activate my PIM role, my first authentication is stored and used silently. Is there any way to prompt MFA again during this activation without switching to a different authentication method? I've already tried enabling the Azure MFA option for the PIM role and setting up a Conditional Access Policy to require sign-in every time. I've also experimented with CA policies and authentication contexts, but nothing seems to work. Is there an easier solution that I might be missing?
3 Answers
I tried this approach as well, but it didn’t work for me. I’m following along to see if anyone else has found a solution we might have missed!
Yes, you can definitely set it up! Although I can't link a guide right now since I'm on my phone, here's how you can do it: First, create an authentication context and then configure your PIM roles to use that context. After that, set up a Conditional Access Policy that applies to your authentication context and mandates MFA with a sign-in frequency set to every time. This should prompt for MFA again when activating a role.
Just a heads up, if you're making multiple PIM requests in a short span (like within 5 minutes), it may not ask for MFA after the first time.
It's actually working just fine for us, but we also require stronger authentication methods like FIDO. I haven’t tried it with basic MFA, which might be affecting the performance.
If you manage to find that guide later, can you share it? I'm still having some trouble applying this approach.