Forum Discussion
Solved
Preventing Multiple MFA checks for Office 365 users
Hi, I'm looking for suggestions to improve the experience of Office 365 users with MFA. We're using Conditional Access in Azure AD to apply MFA to Office 365 users coming from outside the corp...
I believe each app have it's own auth token which gets issued after login with MFA in this case. Each app you configure with conditional access with MFA will ask upon access! I think there are some services that share this token though..
You can lower the MFA requests though by configure MFA for trusted devices in the policy to bypass reauthentication for a chosen period, but this doesn't affect that you still have separate MFA prompts for different apps..
/ Adam
What Adam mentioned above is true - different applications need to authenticate against Azure AD and pass the 2FA challenge in order to obtain a token. Token sharing is only possible between some apps, such as Office, but in general it's "every app for itself". In some cases even multiple instances of the same app will generate new token each time. So in a nutshell, it's a classic example of "ease of use vs security", it's up to you to decide which one is more important for your organization.
Since the token lifetime is in the span of days, even weeks, users will not be bothered that much after the initial login. You also have the option to use the Keep me signed in control, and also configure the "remember device for XXX days" setting for MFA. Lastly, you have options to require MFA for specific apps only when you configure the CA policies, so excluding some "low value" assets is one way to go.
