ZPA and Azure AD


(Lior) #1

Can anyone please share setup instructions and experience with Azure AD MFA for ZPA?
The idea is to authenticate to ZPA with MFA upon first login, and every few hours.


(Kunal) #2

Hey Lior,

There is nothing specific for ZPA that needs to be done. You can setup MFA with Azure AD using standard AAD instructions.


(Lior) #3

Setup is extremely easy indeed but upon testing, it appears that domain joined stations are challenged for MFA only once… Non-domain joined are challenged upon every login to Zapp, as well as for re-authentication. Nothing is configured for such behavior on ‘conditional access’.

Anyone has experience with this?

(Scott Bullock) #4

Hi Lior, we’ll follow whatever MFA rules are configured in conditional-access. I can’t say I’ve seen this before, but it may be a default behaviour of Azure’s MFA product. Have you queried the Azure team on this behaviour you’re experiencing?

(Lior) #5

An update on this one:
It seems that only domain joined stations are “trusted” and do not prompt for MFA for authentication, or re-authentication. External devices prompt for MFA every time.

I’ll update with updates from MS.