Forum Discussion
None Cached Browser(llogin) 100% of the time
First, because its what the customer asked for
Second, i took a shared computer environment you were asking as in a terminal server environment
and its not part of that
Lets say the user logs into his account at a friends house, internet cafe, or anywhere else, and forgets to log out. If the browser cache's cookies, then anyone can login to the users account. We actually tested it here on a VM and even after 3 days, we were still able to log right back in , without putting in a password. The browser just logged right back into that users account.
We have a ticket open with Microsoft as we find this a big flaw. not sure if its part of MFA bug or what, but the customer was looking for a way to make it work. Now we know, if the customer clicks "log out" this wont happen, but we are looking for the times users forget to click Log out.
“and forgets to log out” then yes, this would be expected behaviour.
Also so in your testing make sure that when you say they were able to login again afte three days, did you close the browser (and by that I mean all instances of the browser, tabs and all).
Ideally your users should always log out when they are finished, and even better is to use InPrivate or Incognito settings in the guest machine they are using. Then there is no issue as close the browser or log out and the cookies are removed.
For MFA with O365 (the free one built in) you can get an MFA prompt at each login, but if the user does not close browser or log out, the second attempt to login is not a new attempt but a continuation of the new session, and free MFA feature you will be prompted on all networks including trusted ones. With Conditional Access (part of Azure AD Premium) you can have limitations on where you can login, so you cannot login on untrusted machines or require MFA on untrusted networks, but if your users do not log out, all bets are off...