Forum Discussion
MFA prompt frequency
I was reading through here and trying to figure out when my users will be prompted to re-authorize within their Outlooks as in the link below it seems like as long as they are using their existing computers and Outlook profiles, it won't bother them to re-auth. Is that correct? It's only really when logging in from new devices or creates new outlook profiles. Does that sound correct? Originally I thought it would prompt them in their existing Outlook profiles every 90 days
https://help.duo.com/s/article/3813?language=en_US
Generally speaking, yes. The token can expire in the event of password change, or if revoked by admins.
9 Replies
I am trying to figure out how to extend the frequency of the MFA requirement past 90 days. The MFA settings, in Entra, show 0-365 days but if I enter 91 or more days I get an error message that I can't go past 90 days.
"Once every 90 days" is for the scenario when you don't use the application continuously. If you do, the token is renewed automatically, and unless something like a password change occurs it will never prompt for creds. Since multi-factor auth is considered more secure, for it the 90 days inactive period doesn't apply, and it is now indefinite. More details for example here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
- I went through that the other day but it wasn't clear to me. Our users pretty much have Outlook open 24/7 365 so does that mean they won't need to re-authorize ever unless they get a new device or I need to make them a new outlook profile?
Generally speaking, yes. The token can expire in the event of password change, or if revoked by admins.
- If they have azure ad joined machines that have windows hello they won't be prompted as your device Pin / Biometric and TPM key are your MFA and modern auth rides off of this. However if they use normal machines connected to an old school domain or hybrid setup they will be required to reauth based on your timeout settings, default I want to say allows for 60 days saved (might be 45 can't recall off top of head).
