Hi all, We have an Azure APP that we want to always ask for MFA code. This is a sensitive app that requires connecting from outside our LAN.Right now, our service settings is set to allow users to remember MFA on devices they trust for 30 days.I need to bypass this and force the users to always enter credentials every time they login to the app. Is there a way to do that? Thanks, Rahamim.

RahamimL you can set MFA policies per app if you have Azure AD P1/P2 using conditional access. However, AFAIK it can not be used to overrule the "remember MFA for 30 days".

Azure app to always ask for MFA | Microsoft Community Hub

8 Replies

pnjihia
Copper Contributor
Jan 06, 2022
RahamimL .. were you able to get past this? I agree, 30 days is a bit much for sensitive apps.
- RahamimL
  Iron Contributor
  Jan 08, 2022
  We use a different method - We force users to use only azure joined or hybrid joined computers with conditional access. this allows us to control how people will use high risk apps.
  - pnjihia
    Copper Contributor
    Jan 10, 2022
    RahamimL .. Thanks!
VasilMichev
MVP
Mar 25, 2019
Afaik you cannot. Daniel Stefaniak was just discussing a similar scenario on another board, perhaps he can tune in here as well.
- Daniel Stefaniak
  Former Employee
  Mar 25, 2019
  VasilMichev
  in genera prompts are bad for security:
  
  https://duo.com/blog/usability-is-security-the-future
  
  https://duo.com/blog/part-1-usability-is-security. We will not let you compromise your security posture by breaking fundamentals of SSO
  - RahamimL
    Iron Contributor
    Mar 25, 2019
    This isn't about breaking SSO, I need a way to give the user a prompt for credentials because the azure app is sensitive and my users don't always come from a trusted computer.
    Think about it like always using Skype for business plug-in when adding to the URL "?sl=1".
    Thanks, Rahamim.

Forum Discussion

Azure app to always ask for MFA