Forum Discussion
Excessive MFA prompts for a specific user
One specific user in my tenant is prompted for MFA multiples times/day. Our conditional access policies specify that a user must re-authenticate every 90 days with MFA. All other users do not get pro...
What's your CA policy settings? Are your devices hybrid or azure ad registered? By every 90 days, I presume you mean this is a sign in frequency setting?
Assuming the device is hybrid joined or azure ad registered (entra registered), it should be honoring a PRT. Look at the sign in logs and make sure you have the column 'incoming token' selected. It will show you either nothing or Primary Refresh Token. I suspect it will be nothing most of the time. If this is the case, the PRT is being invalidated and it's likely a TPM issue which is hardware related. I've had to get intimately familiar with this article https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-invalidated
Hope that helps, but knowing more about the CA policy could be helpful too.
Assuming the device is hybrid joined or azure ad registered (entra registered), it should be honoring a PRT. Look at the sign in logs and make sure you have the column 'incoming token' selected. It will show you either nothing or Primary Refresh Token. I suspect it will be nothing most of the time. If this is the case, the PRT is being invalidated and it's likely a TPM issue which is hardware related. I've had to get intimately familiar with this article https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-invalidated
Hope that helps, but knowing more about the CA policy could be helpful too.
Devices are Azure AD registered. Yes, there is a sign in frequency control of 90 days. Other than that, it targets all cloud apps and grants access with MFA required. There is no requirement the device be Azure AD joined or compliant in the policy.
You're right that the "Incoming token type" is often none in the sign ins. Interesting that it could be TPM because we're on device number 2. It could be a coincidence. Windows does not indicate any problems with TPM.
You're right that the "Incoming token type" is often none in the sign ins. Interesting that it could be TPM because we're on device number 2. It could be a coincidence. Windows does not indicate any problems with TPM.
Thanks this is helpful. Current AzureADprt state is YES, but I'll comb through event viewer when the problem re-occurs.