Forum Discussion

RippieUK's avatar
RippieUK
Brass Contributor
Oct 02, 2020

Im confused over MFA and re-authentication prompts

Can someone please help me to understand this.

 

I have been asked by a few colleagues now why they are being prompted fairly often to re-authenticate with MFA.

 

So i removed today the Remember MFA on trusted device as it was set to 7 days and the MS guidelines really said 90 days or more.

I then also read https://docs.microsoft.com/en-us/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime

Which talks about going into company branding and showing the option "Show option to remain signed in". I enabled this.

Lastly i went in to my 2 Conditional Access policies (both are used to require MFA) and added to the session section
Sign-in frequency to 90 days
Persistent browser session to always persistent.

We dont have a conditional access for normal users. not sure if that is needed or not when we are not yet concerned with MFA for regular users.

If someone has time to help me understand this so i can make sure my users have a nice user experience.

We do all have Azure AD P1 licenses and some of us has EMS E1 too. Machines are not always Bybrid AD joined but they are all domain joined and we have seamless SSO enabled.

  • Your best bet is to check the AAD sign in logs for when a prompt happens at sign in and see what's going on.

    It could be a few things such as private/legacy/unsupported browsers, new locations etc.

    If you have hybrid join and want to bypass MFA requirement then I'd suggest using device hybrid join as a requirements and setting the CA option to "require one if the selected controls"

    Session policies relate more the expiring active sessions than preventing prompt, they are a Max rather than a minimum.

    If the session itself is closed and the machine does not have a refresh token from AAD then it will be promoted.
    • RippieUK's avatar
      RippieUK
      Brass Contributor

      SeanMcAvinue  Hi there, thank you for replying, i will check the sign in logs. 

      • So I understand the concept of logging in and having an active session so you don't keep being prompted to log in. 
        Is it the company branding keep signed in and a CA policy where you set the session Sign-In Frequency and Persistent browser session ??
        So I really want to reduce sign-ins but still keep the security.

        Now we want to add MFA to a subset of users. So when they are asked to sign-in we want to add MFA. I have this as a CA policy currently
      • All cloud apps
      • Include any location
      • Exclude selected locations
      • Client apps is set to Browser and Mobile apps and desktop clients
      • Grant access is set to require MFA
      • Session is set to the sign-in frequency to 90 days and always persistent session.

       

      If you can help me at all I would be very grateful.

Resources