MFA is not applicable in Microsoft Azure OAuth2 flow

[Ensar Şamil Beşe]

Hi everyone,

I have deployed SSO integration with Microsoft Azure OAuth2 flow as detailed here: https://blog.velocidex.com/velociraptor-sso-authentication-6dd68d46dccf

SSO Integration works pretty well. However, when I apply a Conditional Access Policy (MFA) as a security precaution, users are not asked for MFA and they are able to authenticate without MFA.

When I raised the issue to the responsible team, their response was: 

"When a user signs in to your application, the user is signing in to the generic Microsoft Graph endpoint.

As the endpoint is MS Graph and not your application, only CAPs filtering for MS Graph are getting applied.

This is also called the audience/application/scope/resource/ or instance. While they are (technically) not the same, for this discussion, they are mostly interchangeable, and the name only depends on how you set it up, where you are coming from, and where you are looking."

I have limited knowledge about this topic and they also told me that I have to solve this issue in application by changing the endpoint/audience (via Framework or the callback URLs).

Any suggestions for how to solve this issue?

Thanks.

[Mike Cohen]

I dont know much about Azure specifically but we are setting the Endpoint here

https://github.com/Velocidex/velociraptor/blob/359ba2f347aea71a7853e4dcc683d15123fe4fdf/api/authenticators/azure.go#L95

and using the default for Azure tenants - we also access the graph api here

https://github.com/Velocidex/velociraptor/blob/master/api/authenticators/azure.go#L177

to get the user's avatar. 

You may be able to have finer control by using the generic oidc provider directly 

https://github.com/Velocidex/velociraptor/blob/master/api/authenticators/oidc.go#L109

As that allows you to set the endpoint URL in the config file. The downside is that you probably won't be able to get the avatar 

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/3800ec7d-f817-4b35-a85c-04e4eb060d82n%40googlegroups.com.

[Ensar Şamil Beşe]

Thanks for the support Mike.

17 Ekim 2022 Pazartesi tarihinde saat 15:54:51 UTC+2 itibarıyla mi...@velocidex.com şunları yazdı: