Azure AD MFA with Conditional Access Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1532423%22%20slang%3D%22en-US%22%3EAzure%20AD%20MFA%20with%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532423%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20planning%20on%20implementing%20Azure%20AD%20MFA%20with%20a%20conditional%20access%20policy.%3CBR%20%2F%3EI%20have%20gone%20through%20all%20the%20steps%20and%20have%20a%20good%20understanding%20on%20the%20process.%20However%20I%20have%20bit%20of%20a%20grey%20area%20where%20I%20like%20to%20get%20your%20thoughts%20on.%3CBR%20%2F%3EI%20have%20my%20Conditional%20Access%20Policy's%20Sign-in%20frequency%20setup%20to%202%20hours%20for%20the%20test%20purposes%3C%2FP%3E%3CP%3EI%20have%20my%20user%20who%20is%20working%20as%20normal.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20send%20the%20user%20to%20register%20for%20MFA%20via%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMFASetup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FMFASetup%3C%2FA%3E%26nbsp%3BURL%20and%20its%20successful.%3CBR%20%2F%3EAdded%20the%20user%20to%20the%20pilot%20group%20where%20I%20have%20assigned%20the%20Conditional%20Access%20Policy%20to.%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20question%20is%20-%20Will%20the%20user%20get%20the%20very%201st%20(initial)%20sign-in%20prompt%202%20hours%20after%20they%20signed%20up%20for%20MFA%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EAlso%20I%20would%20like%20to%20clarify%20on%20how%20the%20timing%20works%20on%20an%20unmanaged%20device%20and%20an%20Azure%20AD%20registered%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EShehan.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1532423%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzureAD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532450%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20MFA%20with%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532450%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F379977%22%20target%3D%22_blank%22%3E%40shehanjp%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22azc-balloon-text%22%3ESo%2C%20the%20following%20is%20from%20the%20Session%20Controls%20within%20a%20CA%20policy%20-%3CSTRONG%3E%20%22Time%20period%20before%20a%20user%20is%20asked%20to%20sign-in%20again%20when%20attempting%20to%20access%20a%20resource.%20The%20default%20setting%20is%20a%20rolling%20window%20of%2090%20days%2C%20i.e.%20users%20will%20be%20asked%20to%20re-authenticate%20on%20the%20first%20attempt%20to%20access%20a%20resource%20after%20being%20inactive%20on%20their%20machine%20for%2090%20days%20or%20longer%22%3C%2FSTRONG%3E.%3C%2FDIV%3E%3CDIV%20class%3D%22azc-balloon-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22azc-balloon-text%22%3EMore%20information%20can%20be%20found%20at%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-session-lifetime%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-session-lifetime%3C%2FA%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-balloon-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22azc-balloon-text%22%3ESo%20I%20would%20think%20that%20you%20can%20work%20on%20the%20principle%20that%20after%202%20hours%20of%20inactivity%2C%20they%20will%20be%20prompted%20for%20sign%20in%2C%20and%20at%20this%20point%2C%20they%20will%20be%20challenged%20to%20register%20for%20MFA.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All,

 

I'm planning on implementing Azure AD MFA with a conditional access policy.
I have gone through all the steps and have a good understanding on the process. However I have bit of a grey area where I like to get your thoughts on.
I have my Conditional Access Policy's Sign-in frequency setup to 2 hours for the test purposes

I have my user who is working as normal.

I send the user to register for MFA via the https://aka.ms/MFASetup URL and its successful.
Added the user to the pilot group where I have assigned the Conditional Access Policy to.

My question is - Will the user get the very 1st (initial) sign-in prompt 2 hours after they signed up for MFA?

Also I would like to clarify on how the timing works on an unmanaged device and an Azure AD registered device.

 

Thanks,

Shehan.

1 Reply

@shehanjp 

 

So, the following is from the Session Controls within a CA policy - "Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer".
 
 
So I would think that you can work on the principle that after 2 hours of inactivity, they will be prompted for sign in, and at this point, they will be challenged to register for MFA.