MFA prompt every 24 hours

%3CLINGO-SUB%20id%3D%22lingo-sub-1426687%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20every%2024%20hours%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426687%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F363847%22%20target%3D%22_blank%22%3E%40Frederick_Po%3C%2FA%3E%26nbsp%3BSee%20this%20article%20for%20different%20approaches%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fjanbakker.tech%2F2020%2F05%2F22%2Fsure-keep-me-signed-in-and-dont-prompt-for-mfa%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fjanbakker.tech%2F2020%2F05%2F22%2Fsure-keep-me-signed-in-and-dont-prompt-for-mfa%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426556%22%20slang%3D%22en-US%22%3EMFA%20prompt%20every%2024%20hours%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426556%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20make%20sure%20that%20MFA%20is%20prompted%20every%2024%20hours.%20What%20we%20did%20is%20that%20we%20put%20the%20parameter%20%3Aallow%20users%20to%20remember%20multi-factor%20authentication%20on%20devices%20they%20trust%20at%201%20day.%20We%20want%20the%20MFA%20to%20be%20prompt%20every%2024%20hours%20because%20we%20want%20to%20use%20Azure%20MFA%20with%20our%20VPN%20solution%20as%20the%20second%20factor.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20the%20problem%20is%20that%20the%2024%20hours%20used%20in%20the%20remember%20parameter%20is%20a%20real%2024%20hours%20so%20if%20you%20performed%20your%20MFA%20at%201%20pm%20it%20will%20be%20asked%20again%20at%201pm%20the%20day%20after.%20What%20should%20we%20do%20to%20have%20a%20better%20user%20experience.%20Modify%20token%20lifetime%3F%3C%2FP%3E%3CP%3ELike%20if%20your%20a%20in%20a%20middle%20of%20a%20teams%20reunion%20and%20you%20forgot%20that%20your%20MFA%20will%20expire%20in%20like%2010%20mins%2C%20you%20will%20lost%20connection.%20I%20know%2C%20users%20should%20just%20refresh%20their%20MFA%20every%20morning%20but%20you%20know%20they%20tend%20to%20forget....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1429363%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20every%2024%20hours%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1429363%22%20slang%3D%22en-US%22%3ECheck%20this%20out%2C%20now%20GA!%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fmanage-authentication-sessions-in-azure-ad-conditional-access-is%2Fba-p%2F1421687%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fmanage-authentication-sessions-in-azure-ad-conditional-access-is%2Fba-p%2F1421687%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430478%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20prompt%20every%2024%20hours%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430478%22%20slang%3D%22en-US%22%3EPlease%20now%20that%20prompting%20users%20every%2024%20hours%20is%20a%20bad%20idea.%3CBR%20%2F%3E%3CBR%20%2F%3EUsers%20will%20get%20used%20to%20a%20lot%20of%20MFA%20prompts%20and%20approve%20prompts%20without%20knowing%20if%20it%20is%20a%20legit%20sign-in.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20would%20be%20better%20of%20using%20Conditional%20Access%20and%20to%20only%20require%20MFA%20when%20they%20are%20on%20non-compliant%20devices%20for%20example%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

We want to make sure that MFA is prompted every 24 hours. What we did is that we put the parameter :allow users to remember multi-factor authentication on devices they trust at 1 day. We want the MFA to be prompt every 24 hours because we want to use Azure MFA with our VPN solution as the second factor. 

 

Now the problem is that the 24 hours used in the remember parameter is a real 24 hours so if you performed your MFA at 1 pm it will be asked again at 1pm the day after. What should we do to have a better user experience. Modify token lifetime?

Like if your a in a middle of a teams reunion and you forgot that your MFA will expire in like 10 mins, you will lost connection. I know, users should just refresh their MFA every morning but you know they tend to forget....

3 Replies
Please now that prompting users every 24 hours is a bad idea.

Users will get used to a lot of MFA prompts and approve prompts without knowing if it is a legit sign-in.

You would be better of using Conditional Access and to only require MFA when they are on non-compliant devices for example