Forum Discussion
Excessive MFA prompts for a specific user
One specific user in my tenant is prompted for MFA multiples times/day. Our conditional access policies specify that a user must re-authenticate every 90 days with MFA. All other users do not get prompted daily without a new risk factor like new device/unknown IP address.
I have tried the following:
- Re-registered authentication methods and revoked previous multifactor auth sessions.
- Enabled Multifactor Authentication in Security Defaults for this user (Rather than conditional access)
- Exempted this user from the standard CA policy, and created a new one.
None of these steps have helped. Microsoft support was no help.
Some other information:
- This user uses 1 to 2 IP addresses throughout the week. (Home and office)
- This user is using the same devices every day. We have replaced the devices and issue persists.
- There are at least 1, up to 5 prompts daily.
- No other users are experiencing this issue, and MFA behaves as expected.
- Azure Identity Protection lists the risk for this user as none. Zero risk detections within the last 90 days.
Any suggestions are appreciated.
- Spindle8551Copper ContributorWhat's your CA policy settings? Are your devices hybrid or azure ad registered? By every 90 days, I presume you mean this is a sign in frequency setting?
Assuming the device is hybrid joined or azure ad registered (entra registered), it should be honoring a PRT. Look at the sign in logs and make sure you have the column 'incoming token' selected. It will show you either nothing or Primary Refresh Token. I suspect it will be nothing most of the time. If this is the case, the PRT is being invalidated and it's likely a TPM issue which is hardware related. I've had to get intimately familiar with this article https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-invalidated
Hope that helps, but knowing more about the CA policy could be helpful too.- Tim_HealeyCopper ContributorDevices are Azure AD registered. Yes, there is a sign in frequency control of 90 days. Other than that, it targets all cloud apps and grants access with MFA required. There is no requirement the device be Azure AD joined or compliant in the policy.
You're right that the "Incoming token type" is often none in the sign ins. Interesting that it could be TPM because we're on device number 2. It could be a coincidence. Windows does not indicate any problems with TPM.- Spindle8551Copper Contributor
- can you ask this user to use another device and check how many prompts will occur during the day ?
- Tim_HealeyCopper Contributor
eliekarkafy Yes, the problem persists with a second device. If it is TPM related I suppose it is a coincidence that it is happening on two devices in a row.
- Spindle8551Copper Contributor
Their not MacOS or iOS are they? I find they do not play friendly whatsoever with MFA, SSO etc.
I've found inconsistency with browsers as well. Edge is the most consistent with it's MFA behaviour.
What did the sign-in logs say for incoming token?