Hi all,
We have recently switched to SAML authentication. To ensure that our password lists are also protected from Azure AD joined devices where the user is automatically logged in, we use Google Authenticator in addition to SAML authentication. In our case, the user only needs to enter the token from Google Authenticator when logging in. I'm not sure what happens if you force reauthentication on Azure AD connected devices. But if the user had to enter their Azure credentials every time, that would be awkward from my point of view.
Regards, Reto
