Skip to main content
Solved

EPM-W MFA-Message with Entra-ID - Logout from session

  • May 6, 2026
  • 3 replies
  • 58 views
I

Hi there,

We have set up MFA-Messages to authenticate admins when installing software on a client. This also needs to be done on “user-clients”. The problem is that you actually can use the admin mfa session to access various ressources such as microsoft admin portal if youre not actively sign out or do the authentication in private-tab.

I already tried to use the following in my entra application, but this does not seem to work:

 

Has anyone setup an MFA-Authentication in Messages for EPM-W and may assist?

Many Thanks!

Best answer by Jens Hansen

OK. so when you use the creds it gets cached for the browser and allows you to access other stuff that should not be possible.

Anything that has some sort of privileged functionality should be behind a re-authentication for Azure Entra ID etc. I think this MS article can help you out. 

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/prompt-users-for-reauthentication-on-sensitive-apps-and-high/ba-p/4062703

KR Jens

    3 replies

    J
    Forum|alt.badge.img+4

    Hi ​@itobi 

    Yes, these two KBs should help you out.

    https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019022

    https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0018586

    Jens

     

      I
      • itobi
      • Author
      • Rising Star
      • May 8, 2026

      Hi ​@itobi 

      Yes, these two KBs should help you out.

      https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019022

      https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0018586

      Jens

       

      Hi Jens,

      The Always Auth is configured as described in the KB, and it’s working. However this does not solve the issue that you can use the logged on session to access for example the admin.microsoft.com when authenticated as an admin.
      am i missing something? maybe i might looking into ACR-values? I have no clue on that.

        J
        Forum|alt.badge.img+4
        • Jens Hansen
        • Guru
        • Answer
        • May 8, 2026

        OK. so when you use the creds it gets cached for the browser and allows you to access other stuff that should not be possible.

        Anything that has some sort of privileged functionality should be behind a re-authentication for Azure Entra ID etc. I think this MS article can help you out. 

        https://techcommunity.microsoft.com/t5/microsoft-entra-blog/prompt-users-for-reauthentication-on-sensitive-apps-and-high/ba-p/4062703

        KR Jens

          Badge Earners

          • BCSE: Password Safe
            monokhas earned the badge BCSE: Password Safe
          • BCIE: Password Safe
            monokhas earned the badge BCIE: Password Safe
          • BCA: Password Safe
            monokhas earned the badge BCA: Password Safe
          • BCA: Privileged Remote Access
            kmazzinihas earned the badge BCA: Privileged Remote Access
          • BCIE: Endpoint Privilege Management - Windows
            JakeChas earned the badge BCIE: Endpoint Privilege Management - Windows
          Show all badges
          Terms & ConditionsAccessibility statement