I explain again, either behavior is not consistent or its not understood clearly,
1. When machine is hybrid and it is restarted or user logs Off and is logging on, This is After Changing the Password, In my case passwords are changed thru a portal which is then updated-pushed in AD
a. The “Windows Sign” operation will get a PRT Token which will include the MFA token and then user will not be prompted for MFA ANYMORE! when accessing any service Mail, Teams, PowerBI etc...
b. This is based on this reading
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is...c. And PRT includes MFA Claim here
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-d...2. However when I test the same by clicking the “REVOKE ALL SESSSIONS” or Sign Out User from all application and then when the user signs in again he/she is being prompted for MFA, Why ?
a. It is true for both Outlook Desktop Client for Teams Desktop Client
b. or any BROWSER session too correct ?
c. But OneDrive for Business Client never prompts for MFA ?
d. Browser based sessions use WAM AND Desktop Clients use CloudAP Correct ?