Excluding Azure file shares from Conditional Access policies requiring MFA – All about Microsoft Endpoint Manager

Excluding Azure file shares from Conditional Access policies requiring MFA – All about Microsoft Endpoint Manager

This week is another short follow-up on the last couple of weeks. While the last couple of weeks were all about configuring the authentication on Azure file shares and on mapping Azure file shares, this week is all about the exclusion for multi-factor authentication (MFA). During the initial post, about using Azure AD Kerberos authentication for Azure file shares, it was mentioned that Azure AD Kerberos doesn’t support using MFA for accessing Azure file shares. The steps to prevent that, just weren’t described. And based on comments and feedback, it’s good to still walk through the steps for configuring that exclusion. This post will briefly discus the challenge, followed with the steps to create the exclusion for Azure file shares. This post will end with the user experience.

Note: Keep in mind that this post is only applicable when using Azure AD Kerberos authentication for Azure file shares. For more information, have a look at this post about configuring Azure AD Kerberos authentication.

Configuring the exclusion for Azure file shares

When looking at the not supported MFA configuration, the focus is all on Conditional Access policies. More specifically, Conditional Access policies that are assigned to all cloud apps. When looking at an Azure file share that relies on Azure AD Kerberos authentication, there will be an Azure AD app representing the storage account. That app registration is also targeted by Conditional Access policies that are assigned to all cloud apps. Those Conditional Access policies can be used to require specific access controls, including requiring MFA for access. The challenge with requiring MFA is that it’s not supported by Azure AD Kerberos.

For actually making sure that the Azure file shares are not assigned with Conditional Access policies that require MFA, the Azure AD app representing the storage account, that contains the file shares, can be excluded from the different Conditional Access policies. The following three steps walk through the process of creating that configuration.

Note: The provided steps can be used for any Conditional Access policy that might be problematic and for any storage account that might need to be excluded.

This doesn’t mean, however, that Conditional Access policies that require MFA are always problematic. When a token is already available on the device that contains a claim that satisfies the MFA requirement, the mapping of the Azure file share will also be successful. In that case, it simply uses the existing token. The main challenge is when no such token is available on the device, when mapping the Azure file share.

Experiencing before the exclusion for Azure file shares

When looking at the user experience, the best method for experiencing the behavior is before the exclusion of the Azure file shares. Simply because that shows the error that users will experience. That behavior is shown below in Figure 2. It shows the message that the user will receive when trying to connect the Azure file share, while a Conditional Access policy is applied that requires MFA. That provides the user with the message that account restrictions are preventing the sign-in.

Note: As mentioned before, this doesn’t mean that it won’t work at all. When a token is already available that contains a claim that satisfies the MFA requirement, the sign-in will still be successful.

This content was originally published here.