Background: We use DUO(MFA) as a custom control under Azure AD conditional access policies for Office 365. Ref:https://duo.com/docs/azure-ca For Mobile applications that use the OneDrive/SharePoint app, we have a Conditional access policy that prompts for DUO.
Current situation: The user signs into the app -> prompted for DUO. Once authenticated, the user gets a pair a of access/refresh tokens. So ideally, since the refresh token is valid for 90 days, incase of inactivity, there would be no primary/secondary auth prompts untill the refresh token expires OR revoked(pasword change, new polcy etc).
Ask: User should be prompted more frequently for DUO MFA on mobile apps, lets say every time they are inactive for 2 hours.
I stumbled upon solutions like changing the MaxInactiveTime for refresh tokens so lets say 1 day, if the user doesnt access the app then they would be asked to re-aunthenticate. or MaxAgeSingleFactor -> eg if set to 14 days, every time after this they would have to re-authenticate.
1. I have a few doubts with these approaches: What would be the affect of setting these, in particular to: Outlook client app on windows/macs. OWA SPO/PJO browser access?
2. Is there a way to aim these at only SharePoint and OneDrive mobile apps? Maybe some guidance on using the object id?
Changing the token lifetime will affect all clients/devices and while you can configure this per Office 365 workload, the process is not very well documented and you will have to guestimate some of the required appIDs. In other words, I wouldn't recommend using this method for your scenario.