Cloud Management Gateway, MFA and Azure Sign-in Failure


If you have CMG (Cloud Management Gateway) configured and have enabled MFA, then this blog post may just help you.

I recently came across an issue involving Azure sign-in failures against CMG native\client app  under the name ConfigMgr-Client app in one of my customer's tenant. The failures created alerts in through Qradar (By IBM), a Security information and event management tool aka SIEM. On checking further, I could see the following sign-in failures.


If you look closely, the Authentication requirement field shows Multi-factor Authentication, which must satisfy for successful sign-in. On checking the Conditional Access tab, I can see which CA policy is failing. 

The CA policy in question is Enforce MFA for Admins, which has been setup to enforce MFA for specific Directory roles across All Cloud Apps. If you think of it then the CA policy is doing what it is suppose to do, but since it is targeting all cloud apps, it is also taking CMG cloud App into consideration.

Now the CMG Native\Client app is responsible for user and device authentication for clients using CMG service. If the authenticating user satisfies the conditions of the CA policy, then MFA will get enforced. However, since the authentication happens in the background against the CMG service, this can result in sign-in failures, which gets logged in Azure.

To fix this, one needs to exclude the CMG web\server cloud app from the CA policy in question. In my case it is ConfigMgr-Server App that is setup as the CMG web\server app and is also the resource that shows up in the sign-in logs.


After the app is excluded, the sign-in failures should clear and start reporting as success again. As it did for me.


Conclusion

There is no official documentation for this, atleast at the time of writing this blog, but for now, excluding the CMG server app appears to be the only logical fix.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Intune: UAC Elevation Prompt Behavior for Standard Users