SOLVED

Preventing Multiple MFA checks for Office 365 users

%3CLINGO-SUB%20id%3D%22lingo-sub-260066%22%20slang%3D%22en-US%22%3EPreventing%20Multiple%20MFA%20checks%20for%20Office%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260066%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20I'm%20looking%20for%20suggestions%20to%20improve%20the%20experience%20of%20Office%20365%20users%20with%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20using%20Conditional%20Access%20in%20Azure%20AD%20to%20apply%20MFA%20to%20Office%20365%20users%20coming%20from%20outside%20the%20corporate%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20we%20have%20experienced%20is%20that%20users%20get%20separate%20MFA%20requests%20for%20each%20of%20the%20O365%20application%20components%20included%20in%20the%20Conditional%20Access%20policy.%26nbsp%3B%20They%20get%20an%20MFA%20check%20for%20Outlook%2C%20another%20one%20for%20SharePoint%2C%20a%20third%20for%20Yammer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20users%20find%20this%20annoying.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20we%20configure%20Azure%20AD%20so%20we%20MFA%20once%20for%20all%20component%20apps%20contained%20in%20the%20CA%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%20Tony%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-260066%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EYammer%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260964%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20Multiple%20MFA%20checks%20for%20Office%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260964%22%20slang%3D%22en-US%22%3EAdam%2C%3CBR%20%2F%3EThanks%20for%20your%20reply.%20I%20also%20had%20a%20reply%20from%20Microsoft%20support%20confirming%20that%20authentication%20is%20separate%20for%20each%20component%20of%20Office365.%3CBR%20%2F%3ETony%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260203%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20Multiple%20MFA%20checks%20for%20Office%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260203%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20Adam%20mentioned%20above%20is%20true%20-%20different%20applications%20need%20to%20authenticate%20against%20Azure%20AD%20and%20pass%20the%202FA%20challenge%20in%20order%20to%20obtain%20a%20token.%20Token%20sharing%20is%20only%20possible%20between%20some%20apps%2C%20such%20as%20Office%2C%20but%20in%20general%20it's%20%22every%20app%20for%20itself%22.%20In%20some%20cases%20even%20multiple%20instances%20of%20the%20same%20app%20will%20generate%20new%20token%20each%20time.%20So%20in%20a%20nutshell%2C%20it's%20a%20classic%20example%20of%20%22ease%20of%20use%20vs%20security%22%2C%20it's%20up%20to%20you%20to%20decide%20which%20one%20is%20more%20important%20for%20your%20organization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20the%20token%20lifetime%20is%20in%20the%20span%20of%20days%2C%20even%20weeks%2C%20users%20will%20not%20be%20bothered%20that%20much%20after%20the%20initial%20login.%20You%20also%20have%20the%20option%20to%20use%20the%20Keep%20me%20signed%20in%20control%2C%20and%20also%20configure%20the%20%22remember%20device%20for%20XXX%20days%22%20setting%20for%20MFA.%20Lastly%2C%20you%20have%20options%20to%20require%20MFA%20for%20specific%20apps%20only%20when%20you%20configure%20the%20CA%20policies%2C%20so%20excluding%20some%20%22low%20value%22%20assets%20is%20one%20way%20to%20go.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260094%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20Multiple%20MFA%20checks%20for%20Office%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260094%22%20slang%3D%22en-US%22%3E%3CP%3ETotally%20agree%20-%20it%20so%20annoying%20and%20besides%20from%20have%20to%20approve%20for%20every%20app%20-%20I%20need%20to%20approve%20on%20our%20Work%20network%2C%20our%20NSO%20office%20and%20at%20home.%20I%20understand%20the%20importance%20of%20security%2C%20but%20it%20must%20be%20possible%20to%20do%20it%20more%20smooth%3CBR%20%2F%3E%3CBR%20%2F%3E%5CGlen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260079%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20Multiple%20MFA%20checks%20for%20Office%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260079%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20believe%20each%20app%20have%20it's%20own%20auth%20token%20which%20gets%20issued%20after%20login%20with%20MFA%20in%20this%20case.%26nbsp%3BEach%20app%20you%20configure%20with%20conditional%20access%20with%20MFA%20will%20ask%20upon%20access!%20I%20think%20there%20are%20some%20services%20that%20share%20this%20token%20though..%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EYou%20can%20lower%20the%20MFA%20requests%20though%20by%26nbsp%3Bconfigure%20MFA%20for%20trusted%20devices%20in%20the%20policy%20to%20bypass%20reauthentication%20for%20a%20chosen%20period%2C%20but%20this%20doesn't%20affect%20that%20you%20still%20have%20separate%20MFA%20prompts%20for%20different%20apps..%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%20Adam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388054%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20Multiple%20MFA%20checks%20for%20Office%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388054%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F199790%22%20target%3D%22_blank%22%3E%40Tony%20Rogers%3C%2FA%3E%26nbsp%3Bone%20of%20the%20suggestions%20from%20a%20recent%20support%20case%20was%20to%20include%20Windows%20Hello%20for%20Business%20during%20Sign%20In%20which%20adds%20the%20MFA%20claim%20to%20the%20PRT%20(although%20in%20a%20Hybrid%20AD%20%2B%20AAD%20environment%20the%20PRT%20is%20only%20valid%20for%2014%20days%20before%20needing%20to%20have%20'line%20of%20sight'%20to%20a%20Domain%20Controller).%3C%2FP%3E%3CP%3EI've%20confirmed%20this%20with%20an%20Azure%20AD%20joined%20only%20computer%20using%20Windows%20Hello%20for%20Business%20and%20the%20experience%20is%20much%20better.%20When%20tokens%20expire%20I%20usually%20only%20see%20one%20MFA%20prompt.%3C%2FP%3E%3CP%3EI%20haven't%20had%20a%20chance%20to%20see%20a%20real%20world%20example%20of%20a%20Hybrid%20setup%20with%20AD%20%2B%20AAD%20joined%20clients%20using%20Windows%20Hello%20for%20Business%20to%20see%20if%20this%20reduces%20MFA%20prompts%20when%20devices%20are%20outside%20or%20a%20corporate%20network.%20If%20anyone%20has%20tried%20this%20and%20can%20confirm%20it%20operates%20in%20the%20same%20way%20as%20Azure%20AD%20only%20joined%20device%20then%20please%20let%20me%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

 

Hi, I'm looking for suggestions to improve the experience of Office 365 users with MFA.

 

We're using Conditional Access in Azure AD to apply MFA to Office 365 users coming from outside the corporate network.

 

The issue we have experienced is that users get separate MFA requests for each of the O365 application components included in the Conditional Access policy.  They get an MFA check for Outlook, another one for SharePoint, a third for Yammer.

 

Our users find this annoying.

 

How can we configure Azure AD so we MFA once for all component apps contained in the CA policy?

 

Cheers, Tony

5 Replies
Highlighted
Best Response confirmed by Tony Rogers (New Contributor)
Solution

 

I believe each app have it's own auth token which gets issued after login with MFA in this case. Each app you configure with conditional access with MFA will ask upon access! I think there are some services that share this token though..

You can lower the MFA requests though by configure MFA for trusted devices in the policy to bypass reauthentication for a chosen period, but this doesn't affect that you still have separate MFA prompts for different apps..

 

/ Adam

Highlighted

Totally agree - it so annoying and besides from have to approve for every app - I need to approve on our Work network, our NSO office and at home. I understand the importance of security, but it must be possible to do it more smooth

\Glen

Highlighted

What Adam mentioned above is true - different applications need to authenticate against Azure AD and pass the 2FA challenge in order to obtain a token. Token sharing is only possible between some apps, such as Office, but in general it's "every app for itself". In some cases even multiple instances of the same app will generate new token each time. So in a nutshell, it's a classic example of "ease of use vs security", it's up to you to decide which one is more important for your organization.

 

Since the token lifetime is in the span of days, even weeks, users will not be bothered that much after the initial login. You also have the option to use the Keep me signed in control, and also configure the "remember device for XXX days" setting for MFA. Lastly, you have options to require MFA for specific apps only when you configure the CA policies, so excluding some "low value" assets is one way to go.

Highlighted
Adam,
Thanks for your reply. I also had a reply from Microsoft support confirming that authentication is separate for each component of Office365.
Tony
Highlighted

@Tony Rogers one of the suggestions from a recent support case was to include Windows Hello for Business during Sign In which adds the MFA claim to the PRT (although in a Hybrid AD + AAD environment the PRT is only valid for 14 days before needing to have 'line of sight' to a Domain Controller).

I've confirmed this with an Azure AD joined only computer using Windows Hello for Business and the experience is much better. When tokens expire I usually only see one MFA prompt.

I haven't had a chance to see a real world example of a Hybrid setup with AD + AAD joined clients using Windows Hello for Business to see if this reduces MFA prompts when devices are outside or a corporate network. If anyone has tried this and can confirm it operates in the same way as Azure AD only joined device then please let me know.