MFA expected behaviour - Mac devices

%3CLINGO-SUB%20id%3D%22lingo-sub-1770937%22%20slang%3D%22en-US%22%3EMFA%20expected%20behaviour%20-%20Mac%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1770937%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20implemented%20MFA%20for%20a%20company%20who%20use%20stand-alone%20Mac%20devices%20(log%20in%20as%20local%20users)%20running%20the%20latest%20OS%20and%20Outlook%2C%20and%20they%20are%20currently%20only%20allowed%20to%20remember%20MFA%20on%20a%20device%20for%201%20day.%3C%2FP%3E%3CP%3EEach%20day%20when%20prompted%20for%20MFA%2C%20they%20are%20also%20prompted%20to%20input%20their%20365%20username%20and%20password%3B%20is%20this%20expected%20behaviour%20for%20this%20setup%2C%20or%20should%20it%20only%20display%20the%20MFA%20approval%20prompt%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20lots%20of%20other%20clients%20who%20use%20MFA%20for%20365%20but%20these%20are%20mostly%20hybrid%20identities%20or%20federated%20domains%20and%20whilst%20I%20don't%20expect%20username%2Bpassword%20prompts%20to%20occur%20for%20these%2C%20I%20would%20expect%20it%20to%20occur%20for%20the%20scenario%20above%2C%20but%20just%20wanted%20some%20clarification.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20expect%20this%20to%20be%20down%20to%20the%20individual%20device%5Capp%20settings%20with%20regards%20to%20cached%20credentials%20etc.%20but%20my%20unfamiliarity%20with%20Mac%20makes%20me%20uncertain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1770937%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771233%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20expected%20behaviour%20-%20Mac%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F828875%22%20target%3D%22_blank%22%3E%40JRSpringham%3C%2FA%3E%26nbsp%3BCan%20you%20give%20some%20details%20about%20your%20setup%3F%20Are%20you%20using%20Conditional%20Access%26nbsp%3BSign-in%20frequency%20or%20Persistent%20browser%20session%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We have implemented MFA for a company who use stand-alone Mac devices (log in as local users) running the latest OS and Outlook, and they are currently only allowed to remember MFA on a device for 1 day.

Each day when prompted for MFA, they are also prompted to input their 365 username and password; is this expected behaviour for this setup, or should it only display the MFA approval prompt?

 

We have lots of other clients who use MFA for 365 but these are mostly hybrid identities or federated domains and whilst I don't expect username+password prompts to occur for these, I would expect it to occur for the scenario above, but just wanted some clarification.

 

I also expect this to be down to the individual device\app settings with regards to cached credentials etc. but my unfamiliarity with Mac makes me uncertain.

 

Thanks in advance!

2 Replies
Highlighted

@JRSpringham Can you give some details about your setup? Are you using Conditional Access Sign-in frequency or Persistent browser session? 

Highlighted

@JanBakker330 Thanks for the response.

 

It's a very basic setup - each user account has been individually enabled for MFA (they have then signed in to Office.com and configured MFA with the Authenticator App) only.

No Conditional Access policies or any MDM controlling the Mac's; they simply login with local accounts to the Mac's and have Outlook etc. installed.

 

I'm not trying to get it to pass-through or anything, just establish what the baseline behaviour should be for this basic setup and to understand if being prompted for credentials etc. is normal under the circumstances.

 

If you need any further info, happy to supply it.