Forum Discussion
Im confused over MFA and re-authentication prompts
Can someone please help me to understand this.
I have been asked by a few colleagues now why they are being prompted fairly often to re-authenticate with MFA.
So i removed today the Remember MFA on trusted device as it was set to 7 days and the MS guidelines really said 90 days or more.
I then also read https://docs.microsoft.com/en-us/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime
Which talks about going into company branding and showing the option "Show option to remain signed in". I enabled this.
Lastly i went in to my 2 Conditional Access policies (both are used to require MFA) and added to the session section
Sign-in frequency to 90 days
Persistent browser session to always persistent.
We dont have a conditional access for normal users. not sure if that is needed or not when we are not yet concerned with MFA for regular users.
If someone has time to help me understand this so i can make sure my users have a nice user experience.
We do all have Azure AD P1 licenses and some of us has EMS E1 too. Machines are not always Bybrid AD joined but they are all domain joined and we have seamless SSO enabled.
- Your best bet is to check the AAD sign in logs for when a prompt happens at sign in and see what's going on.
It could be a few things such as private/legacy/unsupported browsers, new locations etc.
If you have hybrid join and want to bypass MFA requirement then I'd suggest using device hybrid join as a requirements and setting the CA option to "require one if the selected controls"
Session policies relate more the expiring active sessions than preventing prompt, they are a Max rather than a minimum.
If the session itself is closed and the machine does not have a refresh token from AAD then it will be promoted.- RippieUKBrass Contributor
SeanMcAvinue Hi there, thank you for replying, i will check the sign in logs.
- So I understand the concept of logging in and having an active session so you don't keep being prompted to log in.
Is it the company branding keep signed in and a CA policy where you set the session Sign-In Frequency and Persistent browser session ??
So I really want to reduce sign-ins but still keep the security.
Now we want to add MFA to a subset of users. So when they are asked to sign-in we want to add MFA. I have this as a CA policy currently - All cloud apps
- Include any location
- Exclude selected locations
- Client apps is set to Browser and Mobile apps and desktop clients
- Grant access is set to require MFA
- Session is set to the sign-in frequency to 90 days and always persistent session.
If you can help me at all I would be very grateful.
- You don't need the 90 day sign in frequency as that is for ending sessions, not retaining them. You can keep persistent tokens enabled and then check out the keep me signed in option here:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/keep-me-signed-in
This will give users the option to tick 'keep me signed in' at login and then as long as their session stays active they will not need to re authenticate.
For more details on refresh tokens check:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
- So I understand the concept of logging in and having an active session so you don't keep being prompted to log in.