Forum Discussion
Im confused over MFA and re-authentication prompts
Can someone please help me to understand this. I have been asked by a few colleagues now why they are being prompted fairly often to re-authenticate with MFA. So i removed today the Remember ...
Your best bet is to check the AAD sign in logs for when a prompt happens at sign in and see what's going on.
It could be a few things such as private/legacy/unsupported browsers, new locations etc.
If you have hybrid join and want to bypass MFA requirement then I'd suggest using device hybrid join as a requirements and setting the CA option to "require one if the selected controls"
Session policies relate more the expiring active sessions than preventing prompt, they are a Max rather than a minimum.
If the session itself is closed and the machine does not have a refresh token from AAD then it will be promoted.
It could be a few things such as private/legacy/unsupported browsers, new locations etc.
If you have hybrid join and want to bypass MFA requirement then I'd suggest using device hybrid join as a requirements and setting the CA option to "require one if the selected controls"
Session policies relate more the expiring active sessions than preventing prompt, they are a Max rather than a minimum.
If the session itself is closed and the machine does not have a refresh token from AAD then it will be promoted.
SeanMcAvinue Hi there, thank you for replying, i will check the sign in logs.
- So I understand the concept of logging in and having an active session so you don't keep being prompted to log in.
Is it the company branding keep signed in and a CA policy where you set the session Sign-In Frequency and Persistent browser session ??
So I really want to reduce sign-ins but still keep the security.
Now we want to add MFA to a subset of users. So when they are asked to sign-in we want to add MFA. I have this as a CA policy currently - All cloud apps
- Include any location
- Exclude selected locations
- Client apps is set to Browser and Mobile apps and desktop clients
- Grant access is set to require MFA
- Session is set to the sign-in frequency to 90 days and always persistent session.
If you can help me at all I would be very grateful.
- You don't need the 90 day sign in frequency as that is for ending sessions, not retaining them. You can keep persistent tokens enabled and then check out the keep me signed in option here:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/keep-me-signed-in
This will give users the option to tick 'keep me signed in' at login and then as long as their session stays active they will not need to re authenticate.
For more details on refresh tokens check:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimesSeanMcAvinue I think it just clicked a bit better than before. in my conditional access. if I add the conditions "Marked as compliant" and "Hybrid Azure AD joined" as well as the Require MFA and then set the condition to match ANY instead of all. I can effectively skip the MFA part as long as one of the other 2 conditions are met.
Do you know if the Keep me signed in option you can set for all under the company branding page is still needed if you have a conditional access for all users that set the keep persistent tokens to enabled??
