Forum Discussion

RippieUK's avatar
RippieUK
Brass Contributor
Apr 30, 2020

Can I improve user experience of Azure MFA?

Hi all,

 

We have not that long ago enabled Azure MFA via conditional access to the most important users in the company. At the time of deployment it got thrown in with probably little appreciation for all the settings you can do.

Azure MFA is for the most part accepted nicely by all but I wanted to check with the community if we could have selected the settings better to make it an even better user experience.

The number one feedback we get is that MFA prompts happen too often. 7 days apart MFA prompts is not going down well with everyone 🙂

 

So we have MFA enabled via Conditional Access and only for a group of users.

Conditional Access is set to ALL cloud apps with no exceptions

Conditional Access is set to all locations but excluding 2 trusted networks

From Azure AD MFA service settings we do have that we allow remembering the MFA token for 7 days.

 

I understand that if using the option to remember the MFA prompt for 7 days when using a browser to log in to things, it will do a persistent cookie and that survive even after a browser has been closed or system has been rebooted.

If you dont select that box, if you close the browser window and re-open you are asked for MFA again.

 

For non browsers. they dont show the option to remember token for 7 days, instead they use the refresh token that every hour grants an access token if the last 2-step MFA has happened within the last 7 days (or whatever you set under the MFA service settings)

 

I don't know if:

  1. Is 7 days considered too low/high?
  2. Is all cloud apps included in the conditional access perhaps overkill?
    1. Especially for PolyCom RealConnect phones

I am really hoping someone in the community has some good ideas although i am aware that we ourselves select the settings we want. But just because we have gone for these settings does not mean they are considered in general good ones.

  • Yes, this is possible.

    So you can use the 'require compliant device' if your devices is fully Intune managed and not added to an on-prem domain. So this means AAD joined W10, Android, iOS and MacOs

    If your W10 computers are currently on-prem, I would advise you to hybrid join them. That way they are joined to AD and AAD at the same time
    • RippieUK's avatar
      RippieUK
      Brass Contributor

      ChristianBergstrom Thank you for that piece of information. We currently have something similar set in our default conditional access policy that says in grant access section to require MFA which force people to go and sign up to that. Not sure if they can bypass it though.

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    I usually keep it an 14 days. This is a good middle ground between security and user friendlyness

    It's not overkill to include all cloud apps.
    I would however, advise you to exclude all compliant/hybrid joined devices. If you set it up like this, your users will not receive MFA prompts when they are on a corporate computer
    • RippieUK's avatar
      RippieUK
      Brass Contributor

      Thijs Lecomte I actually did think that perhaps 14 days would be good.

       

      We have not as of yet done any hybrid join other than a select few machines from IT.

       

      This certainly makes a case for it. Do you know how that works with android and ipads that are in Intune as fully supervised devices?

      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        Yes, this is possible.

        So you can use the 'require compliant device' if your devices is fully Intune managed and not added to an on-prem domain. So this means AAD joined W10, Android, iOS and MacOs

        If your W10 computers are currently on-prem, I would advise you to hybrid join them. That way they are joined to AD and AAD at the same time

Resources