SOLVED

MFA prompt frequency

%3CLINGO-SUB%20id%3D%22lingo-sub-822063%22%20slang%3D%22en-US%22%3EMFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822063%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20reading%20through%20here%20and%20trying%20to%20figure%20out%20when%20my%20users%20will%20be%20prompted%20to%20re-authorize%20within%20their%20Outlooks%20as%20in%20the%20link%20below%20it%20seems%20like%20as%20long%20as%20they%20are%20using%20their%20existing%20computers%20and%20Outlook%20profiles%2C%20it%20won't%20bother%20them%20to%20re-auth.%20Is%20that%20correct%3F%20It's%20only%20really%20when%20logging%20in%20from%20new%20devices%20or%20creates%20new%20outlook%20profiles.%20Does%20that%20sound%20correct%3F%20Originally%20I%20thought%20it%20would%20prompt%20them%20in%20their%20existing%20Outlook%20profiles%20every%2090%20days%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fhelp.duo.com%2Fs%2Farticle%2F3813%3Flanguage%3Den_US%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhelp.duo.com%2Fs%2Farticle%2F3813%3Flanguage%3Den_US%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-822063%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822239%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822239%22%20slang%3D%22en-US%22%3EIf%20they%20have%20azure%20ad%20joined%20machines%20that%20have%20windows%20hello%20they%20won't%20be%20prompted%20as%20your%20device%20Pin%20%2F%20Biometric%20and%20TPM%20key%20are%20your%20MFA%20and%20modern%20auth%20rides%20off%20of%20this.%20However%20if%20they%20use%20normal%20machines%20connected%20to%20an%20old%20school%20domain%20or%20hybrid%20setup%20they%20will%20be%20required%20to%20reauth%20based%20on%20your%20timeout%20settings%2C%20default%20I%20want%20to%20say%20allows%20for%2060%20days%20saved%20(might%20be%2045%20can't%20recall%20off%20top%20of%20head).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822640%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822640%22%20slang%3D%22en-US%22%3EThanks!%20I'm%20really%20only%20concerned%20with%20the%20frequency%20that%20Outlook%20will%20prompt%20to%20re-auth.%20They%20don't%20use%20OWA%20often%20if%20ever.%20Any%20idea%20where%20I%20can%20see%20that%20in%20the%20admin%20portal%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822972%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822972%22%20slang%3D%22en-US%22%3E%3CP%3E%22Once%20every%2090%20days%22%20is%20for%20the%20scenario%20when%20you%20don't%20use%20the%20application%20continuously.%20If%20you%20do%2C%20the%20token%20is%20renewed%20automatically%2C%20and%20unless%20something%20like%20a%20password%20change%20occurs%20it%20will%20never%20prompt%20for%20creds.%20Since%20multi-factor%20auth%20is%20considered%20more%20secure%2C%20for%20it%20the%2090%20days%20inactive%20period%20doesn't%20apply%2C%20and%20it%20is%20now%20indefinite.%20More%20details%20for%20example%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-configurable-token-lifetimes%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-823105%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-823105%22%20slang%3D%22en-US%22%3EI%20went%20through%20that%20the%20other%20day%20but%20it%20wasn't%20clear%20to%20me.%20Our%20users%20pretty%20much%20have%20Outlook%20open%2024%2F7%20365%20so%20does%20that%20mean%20they%20won't%20need%20to%20re-authorize%20ever%20unless%20they%20get%20a%20new%20device%20or%20I%20need%20to%20make%20them%20a%20new%20outlook%20profile%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-823124%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-823124%22%20slang%3D%22en-US%22%3E%3CP%3EGenerally%20speaking%2C%20yes.%20The%20token%20can%20expire%20in%20the%20event%20of%20password%20change%2C%20or%20if%20revoked%20by%20admins.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-823126%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-823126%22%20slang%3D%22en-US%22%3EDo%20you%20know%20if%20the%20tokens%20auto%20expire%20in%20the%20event%20of%20account%20disable%3F%20Going%20to%20assume%20so.%20But%20wondering%20if%20you%20have%20to%20go%20in%20and%20manually%20revoke%20tokens%20or%20not%20on%20an%20account%20termination%2C%20or%20what%20quickest%20way%20to%20assure%20lock%20out%20of%20data%20access.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-823986%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-823986%22%20slang%3D%22en-US%22%3E%3CP%3EThey%20do%20not%2C%20but%20yeah%20you%20can%20revoke%20them%20as%20part%20of%20the%20%22deprovisioning%22%20workflow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-870799%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20frequency%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-870799%22%20slang%3D%22en-US%22%3EI%20added%20an%20Azure%20AD%20P1%20license%20and%20whitelisted%20the%20office%20IP%20which%20solves%20that%20problem.%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I was reading through here and trying to figure out when my users will be prompted to re-authorize within their Outlooks as in the link below it seems like as long as they are using their existing computers and Outlook profiles, it won't bother them to re-auth. Is that correct? It's only really when logging in from new devices or creates new outlook profiles. Does that sound correct? Originally I thought it would prompt them in their existing Outlook profiles every 90 days

https://help.duo.com/s/article/3813?language=en_US

8 Replies
Highlighted
If they have azure ad joined machines that have windows hello they won't be prompted as your device Pin / Biometric and TPM key are your MFA and modern auth rides off of this. However if they use normal machines connected to an old school domain or hybrid setup they will be required to reauth based on your timeout settings, default I want to say allows for 60 days saved (might be 45 can't recall off top of head).
Highlighted
Thanks! I'm really only concerned with the frequency that Outlook will prompt to re-auth. They don't use OWA often if ever. Any idea where I can see that in the admin portal?
Highlighted

"Once every 90 days" is for the scenario when you don't use the application continuously. If you do, the token is renewed automatically, and unless something like a password change occurs it will never prompt for creds. Since multi-factor auth is considered more secure, for it the 90 days inactive period doesn't apply, and it is now indefinite. More details for example here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

Highlighted
I went through that the other day but it wasn't clear to me. Our users pretty much have Outlook open 24/7 365 so does that mean they won't need to re-authorize ever unless they get a new device or I need to make them a new outlook profile?

Highlighted
Best Response confirmed by Paul Storic (Contributor)
Solution

Generally speaking, yes. The token can expire in the event of password change, or if revoked by admins.

Highlighted
Do you know if the tokens auto expire in the event of account disable? Going to assume so. But wondering if you have to go in and manually revoke tokens or not on an account termination, or what quickest way to assure lock out of data access.
Highlighted

They do not, but yeah you can revoke them as part of the "deprovisioning" workflow.

Highlighted
I added an Azure AD P1 license and whitelisted the office IP which solves that problem.