cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prompts for MFA across OneDrive, Teams, Outlook

isotonic_uk
Brass Contributor

‎Sep 02 2020 12:13 PM

‎Sep 02 2020 12:13 PM

Prompts for MFA across OneDrive, Teams, Outlook

Hi All

 

Got a weird issue here. A customer I am working with has mentioned that after 60 days when he is prompted for MFA users are getting prompted not once but once when they signin into Onedrive, then into Teams and then into Outlook. It only seems to be these three apps and they will be ok for 60 days and then the same behaviour will be seen. 

 

I have checked trusted locations and the MFA settings and also reviewed the conditional access settings setup but am stuck. 

 

As an example for one user looking at the sign-ins for the user all seems to be normal. There are many conditional access policies however most are not applied and there are either successes or disabled. 

 

Has anyone else seen this behaviour? 

 

Thanks

6,912 Views
0 Likes
4 Replies
Reply
4 Replies
Shahaizan Jamal

‎Sep 02 2020 06:56 PM

‎Sep 02 2020 06:56 PM

Re: Prompts for MFA across OneDrive, Teams, Outlook

@isotonic_uk 

 

This behaviour is correct if they are using the Office 365 MFA which will trigger all those apps upon 60 days. 

 

You mentioned that you also have conditional access? If im not wrong, the Office 365 MFA supercedes the conditional access policies tied to the user.

1 Like
Reply
Moe_Kinani

‎Sep 02 2020 09:51 PM

‎Sep 02 2020 09:51 PM

Re: Prompts for MFA across OneDrive, Teams, Outlook

I think this is ok. With ADAL authentication, Windows uses Work or School account to sign in to the apps.

You can try to disable ADAL and push the PC to authenticate to the cloud directly., it may change the behavior.

Moe

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableADALatopWAMOverride"=dword:00000001
1 Like
Reply
ChristianBergstrom

‎Sep 03 2020 12:25 AM - edited ‎Sep 03 2020 12:44 AM

‎Sep 03 2020 12:25 AM - edited ‎Sep 03 2020 12:44 AM

Re: Prompts for MFA across OneDrive, Teams, Outlook

@isotonic_uk Hello, even though @Moe_Kinani replied with a workaround that historically fix similar issues with authentication it shouldn't be used anymore. As for the prompt it most likely shows as the "remember device" service setting is ticked and it's configurable 1-60 days **edit** (just checked and its 365 now). I understand the customer has CA in their subscription so they should be able to work around this to either exclude managed devices, trusted locations, sign-in frequency etc. and not use the remember mfa service setting.

 

The WAM/ADAL issue

https://docs.microsoft.com/en-my/office365/troubleshoot/authentication/connection-issue-when-sign-in...

 

As for your question "60 days" (note the admins update)

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35055382-mfa-remember-de...


Sign-in frequency
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-... 

 

To assist in reviewing your settings

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

 

Hope it helps.

1 Like
Reply
ranj-singh111

‎Sep 20 2020 12:23 AM

‎Sep 20 2020 12:23 AM

Re: Prompts for MFA across OneDrive, Teams, Outlook

Many thanks for all the replies. Very useful and certainly something I can work with.

I agree think CA is the way forward to a avoid unneccessary prompts when in a safe network defined by CA,
1 Like
Reply