Forum Discussion
Preventing Multiple MFA checks for Office 365 users
I believe each app have it's own auth token which gets issued after login with MFA in this case. Each app you configure with conditional access with MFA will ask upon access! I think there are some services that share this token though..
You can lower the MFA requests though by configure MFA for trusted devices in the policy to bypass reauthentication for a chosen period, but this doesn't affect that you still have separate MFA prompts for different apps..
/ Adam
I believe each app have it's own auth token which gets issued after login with MFA in this case. Each app you configure with conditional access with MFA will ask upon access! I think there are some services that share this token though..
You can lower the MFA requests though by configure MFA for trusted devices in the policy to bypass reauthentication for a chosen period, but this doesn't affect that you still have separate MFA prompts for different apps..
/ Adam
Thanks for your reply. I also had a reply from Microsoft support confirming that authentication is separate for each component of Office365.
Tony
Tony Rogers one of the suggestions from a recent support case was to include Windows Hello for Business during Sign In which adds the MFA claim to the PRT (although in a Hybrid AD + AAD environment the PRT is only valid for 14 days before needing to have 'line of sight' to a Domain Controller).
I've confirmed this with an Azure AD joined only computer using Windows Hello for Business and the experience is much better. When tokens expire I usually only see one MFA prompt.
I haven't had a chance to see a real world example of a Hybrid setup with AD + AAD joined clients using Windows Hello for Business to see if this reduces MFA prompts when devices are outside or a corporate network. If anyone has tried this and can confirm it operates in the same way as Azure AD only joined device then please let me know.
