Forum Discussion
MFA claim expired - Breaking web apps
Hi All,
Testing:
- Passwordless (Phone Sign-in baseline)
- Sign in Frequency (Shorter than tenant setting)
- Desktops are hybrid, receiving their PRT but no not use WH4B
- Tenant still has Remember Trusted device for X Days enabled
I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state.
Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too.
I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues?
Thanks!
4 Replies
- I've been having the same issue as well. Hybrid - remember trusted devices turned off, persistent browsing turned on, SIF of 14 days. We did narrow down further that attempting to sign in with your 'Connected to Windows' account in the browser pop up gives a failure due to the 'expired' claim, but if you click the 'Use another account' button and then sign in with your account that way, you are able to sign in without any issue.
Notably, when I signed in to my computer using my yubikey, my account was no longer 'expired' for MFA on the device.
We can get around it currently by opening browsers in incognito or by signing out of the Edge browser and back in and choosing the 'Use another account' option. I'm glad I'm not the only person seeing this behaviour. I'll let you know if we get anything useful tomorrow! - I've been seeing this same issue for random individuals. Claim expires and is never renewed and the conditional access policy has been enabled for months with no issues. I also have a support ticket submitted, did you ever receive additional response/resolution?
Im presently seeing this issue in my environment. Affects random users with a CA policy that has been deployed weeks ago, other users being targeted by the CA policy arent affected. I have opened a ticket with Microsoft. Seems that the MFA is session token is not being passed back to Microsoft. Were you able to resolve your issue.
