Prompts for MFA across OneDrive, Teams, Outlook

Contributor

Hi All

 

Got a weird issue here. A customer I am working with has mentioned that after 60 days when he is prompted for MFA users are getting prompted not once but once when they signin into Onedrive, then into Teams and then into Outlook. It only seems to be these three apps and they will be ok for 60 days and then the same behaviour will be seen. 

 

I have checked trusted locations and the MFA settings and also reviewed the conditional access settings setup but am stuck. 

 

As an example for one user looking at the sign-ins for the user all seems to be normal. There are many conditional access policies however most are not applied and there are either successes or disabled. 

 

Has anyone else seen this behaviour? 

 

Thanks

4 Replies

@isotonic_uk 

 

This behaviour is correct if they are using the Office 365 MFA which will trigger all those apps upon 60 days. 

 

You mentioned that you also have conditional access? If im not wrong, the Office 365 MFA supercedes the conditional access policies tied to the user.

I think this is ok. With ADAL authentication, Windows uses Work or School account to sign in to the apps.

You can try to disable ADAL and push the PC to authenticate to the cloud directly., it may change the behavior.

Moe

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableADALatopWAMOverride"=dword:00000001

@isotonic_uk Hello, even though @Moe_Kinani replied with a workaround that historically fix similar issues with authentication it shouldn't be used anymore. As for the prompt it most likely shows as the "remember device" service setting is ticked and it's configurable 1-60 days **edit** (just checked and its 365 now). I understand the customer has CA in their subscription so they should be able to work around this to either exclude managed devices, trusted locations, sign-in frequency etc. and not use the remember mfa service setting.

 

The WAM/ADAL issue

https://docs.microsoft.com/en-my/office365/troubleshoot/authentication/connection-issue-when-sign-in...

 

As for your question "60 days" (note the admins update)

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35055382-mfa-remember-de...


Sign-in frequency
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-... 

 

To assist in reviewing your settings

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

 

Hope it helps.

Many thanks for all the replies. Very useful and certainly something I can work with.

I agree think CA is the way forward to a avoid unneccessary prompts when in a safe network defined by CA,