MichaelHildebrand, Alex,
Can you please explain the expected user experience in the following cases:
1. A user uses the same Azure AD Hybrid joined W10 device; CA policy requires MFA to access O365 apps; Sign-in frequency has not been set; there is no Windows Hello for Business; Remember MFA and Remain singed-in settings have been disabled.
If I am not mistaken, the expected behavior is the following:
- Azure AD Primary Refresh Token (PRT) is issued when the user signs in on the device for the first time providing their AD login and password.
- The user runs an O365 app (e.g. Outlook) for the first time and is prompted for MFA. An MFA token is imprinted into the PRT.
- While the user uses actively their W10 device (at least once per 14 days), the PRT will be renewed continuously and the user will not be ever prompted for MFA unless the PRT is invalidated or the MFA refresh token is revoked by an Administrator.
Am I right? Does it work so?
2. A user uses the same Azure AD Hybrid joined W10 device; CA policy requires MFA to access O365 apps; Sign-in frequency has been set to 180 days; there is no Windows Hello for Business; Remember MFA and Remain singed-in settings have been disabled.
If I am not mistaken, the expected behavior is the following:
- Azure AD Primary Refresh Token (PRT) is issued when the user signs in on the device for the first time providing their AD login and password.
- The user runs an O365 app (e.g. Outlook) for the first time and is prompted for MFA. An MFA token is imprinted into the PRT.
- While the user uses actively their W10 device (at least once per 14 days), the PRT will be renewed continuously and the user will not be prompted for MFA during 180 days after the first MFA prompt unless the PRT is invalidated or the MFA refresh token is revoked by an Administrator.
Am I right? Does it work so?
Thank you very much in advance for your assistance!
Microsoft
