Posted on 09-13-2023 07:15 AM
Hi,
Let's first start with the question, then some introductions and considerations...
Is the sign-in performed every 15 minutes supposed to be an interactive or non-interactive sign-in?
We are using Jamf Connect several years now and some time ago we were able to resolve the failed login messages by excluding it from our MFA policy.
We still struggle with the Risky Sign-ins as you cannot exclude or filter apps from the auto-remediation policies.
Every now and then the regular pwd checks of Jamf Connect causes someone to be marked as Risky, because JC only is interested in the username and password and ignores any MFA challenge to auto remediate the risky sign-in.
As far is we understood ROPG sign-in are supposed to be non-interactive, non-interactive sign-in are not checked for conditional access. Jamf Connect performs a ROPG authentication every 15 minutes to check password in AzureAD.
When reviewing the logs in AzureAD, we see the 15 minute checks as interactive sign-ins. I recreated all of the config and deployed it to a test machine using this config: https://github.com/jamf/jamfconnect/blob/main/azure_conditional_access/4_-_Modifying_Jamf_Connect_to...
Posted on 09-13-2023 07:52 AM
in addition to my question and trying to show the inconsistancy in documentation / implementation:
Microsoft statement:
Azure conditional access policy does not evaluate the non-interactive sign-in requests.
Jamf PDF:
In this scenario, we want the non-interactive login (where Jamf Connect validates the user’s local password matches the Azure password) to be exempt from a conditional access policy