Sep 02 2020 12:13 PM
Hi All
Got a weird issue here. A customer I am working with has mentioned that after 60 days when he is prompted for MFA users are getting prompted not once but once when they signin into Onedrive, then into Teams and then into Outlook. It only seems to be these three apps and they will be ok for 60 days and then the same behaviour will be seen.
I have checked trusted locations and the MFA settings and also reviewed the conditional access settings setup but am stuck.
As an example for one user looking at the sign-ins for the user all seems to be normal. There are many conditional access policies however most are not applied and there are either successes or disabled.
Has anyone else seen this behaviour?
Thanks
Sep 02 2020 06:56 PM
This behaviour is correct if they are using the Office 365 MFA which will trigger all those apps upon 60 days.
You mentioned that you also have conditional access? If im not wrong, the Office 365 MFA supercedes the conditional access policies tied to the user.
Sep 02 2020 09:51 PM
Sep 03 2020 12:25 AM - edited Sep 03 2020 12:44 AM
@isotonic_uk Hello, even though @Moe_Kinani replied with a workaround that historically fix similar issues with authentication it shouldn't be used anymore. As for the prompt it most likely shows as the "remember device" service setting is ticked and it's configurable 1-60 days **edit** (just checked and its 365 now). I understand the customer has CA in their subscription so they should be able to work around this to either exclude managed devices, trusted locations, sign-in frequency etc. and not use the remember mfa service setting.
The WAM/ADAL issue
As for your question "60 days" (note the admins update)
Sign-in frequency
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...
To assist in reviewing your settings
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
Hope it helps.
Sep 20 2020 12:23 AM