Forum Discussion

Tim_Healey's avatar
Tim_Healey
Copper Contributor
Jul 17, 2023

Excessive MFA prompts for a specific user

One specific user in my tenant is prompted for MFA multiples times/day. Our conditional access policies specify that a user must re-authenticate every 90 days with MFA. All other users do not get prompted daily without a new risk factor like new device/unknown IP address.

 

I have tried the following:

  • Re-registered authentication methods and revoked previous multifactor auth sessions.
  • Enabled Multifactor Authentication in Security Defaults for this user (Rather than conditional access)
  • Exempted this user from the standard CA policy, and created a new one.

None of these steps have helped. Microsoft support was no help.

Some other information:

  • This user uses 1 to 2 IP addresses throughout the week. (Home and office)
  • This user is using the same devices every day. We have replaced the devices and issue persists.
  • There are at least 1, up to 5 prompts daily.
  • No other users are experiencing this issue, and MFA behaves as expected.
  • Azure Identity Protection lists the risk for this user as none. Zero risk detections within the last 90 days.

Any suggestions are appreciated.

  • Spindle8551's avatar
    Spindle8551
    Copper Contributor
    What's your CA policy settings? Are your devices hybrid or azure ad registered? By every 90 days, I presume you mean this is a sign in frequency setting?
    Assuming the device is hybrid joined or azure ad registered (entra registered), it should be honoring a PRT. Look at the sign in logs and make sure you have the column 'incoming token' selected. It will show you either nothing or Primary Refresh Token. I suspect it will be nothing most of the time. If this is the case, the PRT is being invalidated and it's likely a TPM issue which is hardware related. I've had to get intimately familiar with this article https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-invalidated
    Hope that helps, but knowing more about the CA policy could be helpful too.
    • Tim_Healey's avatar
      Tim_Healey
      Copper Contributor
      Devices are Azure AD registered. Yes, there is a sign in frequency control of 90 days. Other than that, it targets all cloud apps and grants access with MFA required. There is no requirement the device be Azure AD joined or compliant in the policy.

      You're right that the "Incoming token type" is often none in the sign ins. Interesting that it could be TPM because we're on device number 2. It could be a coincidence. Windows does not indicate any problems with TPM.
  • can you ask this user to use another device and check how many prompts will occur during the day ?
    • Tim_Healey's avatar
      Tim_Healey
      Copper Contributor

      eliekarkafy Yes, the problem persists with a second device. If it is TPM related I suppose it is a coincidence that it is happening on two devices in a row.

      • Spindle8551's avatar
        Spindle8551
        Copper Contributor

        Their not MacOS or iOS are they? I find they do not play friendly whatsoever with MFA, SSO etc.
        I've found inconsistency with browsers as well. Edge is the most consistent with it's MFA behaviour.
        What did the sign-in logs say for incoming token?

Resources