Apr 30 2020
- last edited on
Jul 27 2020
We have not that long ago enabled Azure MFA via conditional access to the most important users in the company. At the time of deployment it got thrown in with probably little appreciation for all the settings you can do.
Azure MFA is for the most part accepted nicely by all but I wanted to check with the community if we could have selected the settings better to make it an even better user experience.
The number one feedback we get is that MFA prompts happen too often. 7 days apart MFA prompts is not going down well with everyone :)
So we have MFA enabled via Conditional Access and only for a group of users.
Conditional Access is set to ALL cloud apps with no exceptions
Conditional Access is set to all locations but excluding 2 trusted networks
From Azure AD MFA service settings we do have that we allow remembering the MFA token for 7 days.
I understand that if using the option to remember the MFA prompt for 7 days when using a browser to log in to things, it will do a persistent cookie and that survive even after a browser has been closed or system has been rebooted.
If you dont select that box, if you close the browser window and re-open you are asked for MFA again.
For non browsers. they dont show the option to remember token for 7 days, instead they use the refresh token that every hour grants an access token if the last 2-step MFA has happened within the last 7 days (or whatever you set under the MFA service settings)
I don't know if:
I am really hoping someone in the community has some good ideas although i am aware that we ourselves select the settings we want. But just because we have gone for these settings does not mean they are considered in general good ones.
May 01 2020 01:04 AM
May 01 2020 02:03 AM
@Thijs Lecomte I actually did think that perhaps 14 days would be good.
We have not as of yet done any hybrid join other than a select few machines from IT.
This certainly makes a case for it. Do you know how that works with android and ipads that are in Intune as fully supervised devices?
May 01 2020 02:08 AMSolution
May 01 2020 05:18 AM - edited May 01 2020 05:18 AM
@RippieUK As you haven't rolled out Azure MFA on a large-scale just yet I want to send a heads up for Azure Identity Protection MFA registration policy. Perhaps you've already had a look at it, but here's the MS doc https://docs.microsoft.com/sv-se/azure/active-directory/identity-protection/howto-identity-protectio...
@Thijs Lecomte something to share from your own experience using this policy as well? :)
May 05 2020 01:06 AM
@ChristianBergstrom Thank you for that piece of information. We currently have something similar set in our default conditional access policy that says in grant access section to require MFA which force people to go and sign up to that. Not sure if they can bypass it though.