Forum Discussion
Conditional Access not working as expected
Hi guys
i'm trying to configure Conditional Access for our users. We have Windows 10 managed Notebooks, which are AAD Joined and have Windows Hello for Business configured, which everything is just working fine.
We would like to configure a Conditional Access Policy to force the users every 23 hours to enter their password and MFA again. For that i have configured a policy, where i Grant the permission only with MFA and a compliant device.
But the users are not promped to enter the MFA again. I can see that the correct policy has been hit (see the second printscreen).
Is there anything i could have misunderstand or should this work like we would need?
Many thanks for any hints on this
Best regards,
Marc
Yes, all users should be forced to use MFA. Here's an article I found just now which explains it all as you're on WHFB, much better than if I would give it a go! https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032
Going forward, try out the What if tool and the Report-only option when you experience odd stuff. Perhaps you'd benefit using the new CA templates in preview too. Have a look https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common (the article was updated recently but you'll see those that are common to use if you scroll down)As sign-in frequency also includes MFA nowadays you should be able to get this working.
Good luck!