Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure AD MFA with Conditional Access Policy

Iron Contributor

Hi All,

 

I'm planning on implementing Azure AD MFA with a conditional access policy.
I have gone through all the steps and have a good understanding on the process. However I have bit of a grey area where I like to get your thoughts on.
I have my Conditional Access Policy's Sign-in frequency setup to 2 hours for the test purposes

I have my user who is working as normal.

I send the user to register for MFA via the https://aka.ms/MFASetup URL and its successful.
Added the user to the pilot group where I have assigned the Conditional Access Policy to.

My question is - Will the user get the very 1st (initial) sign-in prompt 2 hours after they signed up for MFA?

Also I would like to clarify on how the timing works on an unmanaged device and an Azure AD registered device.

 

Thanks,

Shehan.

1 Reply
best response confirmed by shehanjp (Iron Contributor)
Solution

@shehanjp 

 

So, the following is from the Session Controls within a CA policy - "Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer".
 
 
So I would think that you can work on the principle that after 2 hours of inactivity, they will be prompted for sign in, and at this point, they will be challenged to register for MFA.
1 best response

Accepted Solutions
best response confirmed by shehanjp (Iron Contributor)
Solution

@shehanjp 

 

So, the following is from the Session Controls within a CA policy - "Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer".
 
 
So I would think that you can work on the principle that after 2 hours of inactivity, they will be prompted for sign in, and at this point, they will be challenged to register for MFA.

View solution in original post