Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Can I improve user experience of Azure MFA?

Brass Contributor

Hi all,

 

We have not that long ago enabled Azure MFA via conditional access to the most important users in the company. At the time of deployment it got thrown in with probably little appreciation for all the settings you can do.

Azure MFA is for the most part accepted nicely by all but I wanted to check with the community if we could have selected the settings better to make it an even better user experience.

The number one feedback we get is that MFA prompts happen too often. 7 days apart MFA prompts is not going down well with everyone :)

 

So we have MFA enabled via Conditional Access and only for a group of users.

Conditional Access is set to ALL cloud apps with no exceptions

Conditional Access is set to all locations but excluding 2 trusted networks

From Azure AD MFA service settings we do have that we allow remembering the MFA token for 7 days.

 

I understand that if using the option to remember the MFA prompt for 7 days when using a browser to log in to things, it will do a persistent cookie and that survive even after a browser has been closed or system has been rebooted.

If you dont select that box, if you close the browser window and re-open you are asked for MFA again.

 

For non browsers. they dont show the option to remember token for 7 days, instead they use the refresh token that every hour grants an access token if the last 2-step MFA has happened within the last 7 days (or whatever you set under the MFA service settings)

 

I don't know if:

  1. Is 7 days considered too low/high?
  2. Is all cloud apps included in the conditional access perhaps overkill?
    1. Especially for PolyCom RealConnect phones

I am really hoping someone in the community has some good ideas although i am aware that we ourselves select the settings we want. But just because we have gone for these settings does not mean they are considered in general good ones.

6 Replies
I usually keep it an 14 days. This is a good middle ground between security and user friendlyness

It's not overkill to include all cloud apps.
I would however, advise you to exclude all compliant/hybrid joined devices. If you set it up like this, your users will not receive MFA prompts when they are on a corporate computer

@Thijs Lecomte I actually did think that perhaps 14 days would be good.

 

We have not as of yet done any hybrid join other than a select few machines from IT.

 

This certainly makes a case for it. Do you know how that works with android and ipads that are in Intune as fully supervised devices?

best response confirmed by RippieUK (Brass Contributor)
Solution
Yes, this is possible.

So you can use the 'require compliant device' if your devices is fully Intune managed and not added to an on-prem domain. So this means AAD joined W10, Android, iOS and MacOs

If your W10 computers are currently on-prem, I would advise you to hybrid join them. That way they are joined to AD and AAD at the same time

@Thijs Lecomte Thank you, I got some ideas now actually to make it better. will take this to my manager. thank you.

@RippieUK As you haven't rolled out Azure MFA on a large-scale just yet I want to send a heads up for Azure Identity Protection MFA registration policy. Perhaps you've already had a look at it, but here's the MS doc https://docs.microsoft.com/sv-se/azure/active-directory/identity-protection/howto-identity-protectio...

 

@Thijs Lecomte something to share from your own experience using this policy as well? :)

@ChristianBergstrom Thank you for that piece of information. We currently have something similar set in our default conditional access policy that says in grant access section to require MFA which force people to go and sign up to that. Not sure if they can bypass it though.

1 best response

Accepted Solutions
best response confirmed by RippieUK (Brass Contributor)
Solution
Yes, this is possible.

So you can use the 'require compliant device' if your devices is fully Intune managed and not added to an on-prem domain. So this means AAD joined W10, Android, iOS and MacOs

If your W10 computers are currently on-prem, I would advise you to hybrid join them. That way they are joined to AD and AAD at the same time

View solution in original post