Mar 17 2021
06:02 AM
- last edited on
Jan 14 2022
03:27 PM
by
TechCommunityAP
Mar 17 2021
06:02 AM
- last edited on
Jan 14 2022
03:27 PM
by
TechCommunityAP
I have a conditional access policy to enable MFA. It's all set and good. I have it shown here.
I later wanted to go into "Session" and enable "Sign-In Frequency" and set it to the recommended 90 days. After I hit save I get "Validating Session" at the bottom. But it never actually saves at all.
I tried re-creating the policy from scratch including this setting and it will not save. I don't know why.
Mar 17 2021 06:46 AM
Mar 17 2021 06:51 AM
So, when using MFA, how do I get it to add the prompt "Remember this device for X days" option? Because under "Remember multi-factor authentication on trusted device" setting it tells me to use Conditional Access:
NOTE: For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to ‘Remember MFA on a trusted device’ settings. If using 'Remember MFA on a trusted device,' be sure to extend the duration to 90 or more days. Learn more about reauthentication prompts.
So, I should enable it in trusted device? Or require MFA with each login when outside my network?
Mar 17 2021 06:59 AM
Mar 17 2021 08:27 AM - edited Mar 17 2021 08:38 AM
Hi, well the 90 days was something that just popped to mind so had to put it out there. As why it is not saving your settings I think it's better if I just link this for guidance.
https://dirteam.com/sander/2020/06/17/todo-move-from-the-allow-users-to-remember-multi-factor-authen...
And for reference
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
Configure authentication session management - Azure Active Directory | Microsoft Docs
Mar 17 2021 10:05 AM
Mar 17 2021 03:27 PM
Mar 18 2021 06:45 AM
I too am experiencing the same hung 'validating policy' in conditional access. Mine is not a policy already active, a brand new policy with no bearing or effect on any other features or policies already being manipulated by conditional access.
Mar 18 2021 08:46 AM - edited Mar 18 2021 08:49 AM
Me too. I can't create a new CA policy (or edit an existing one) where I change the "sign-in frequency" option to On. I can edit a CA policy that has "sign in frequency" turned on but I can't change the values for that frequency. This is all irrespective of what value I use (e.g. 90 days, 1 hour, etc.).
It's been like this for a couple of days or more. I've opened a case with Microsoft.
Mar 18 2021 08:53 AM
Mar 18 2021 01:53 PM
In my discussion with the microsoft rep, he had me do some sort of log and send it to him. I did so and they will get back to me.
Mar 18 2021 01:54 PM
Mar 18 2021 06:54 PM - edited Mar 18 2021 07:02 PM
@ChristianBergstrom @Tomnibus_MedOne have you heard anything back? This seems to be a recent bug. We're about to open a sev1 ticket on this.
Mar 18 2021 08:24 PM
Mar 18 2021 08:51 PM
Mar 19 2021 04:55 AM
Hi @itomni, @snout @ChrisShawLHC and possibly @Brownin88,
While this is broken on the Azure side of things, there is a workaround with Graph.
1) Create the policy in Azure AD without setting Sign-In Frequency.
2) Head over to Graph and sign in with your Global Administrator account https://developer.microsoft.com/en-us/graph/graph-explorer
3) Run the following query: GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
(you may need to Consent to a few things under Modify Permissions)
4) Find the Policy you just created in the Response Preview and copy the ID
5) Change the request to PATCH and add the ID to the end of the previous request:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id> and Edit your Request body to the following:
{
"sessionControls": {
"signInFrequency": {
"value": 90,
"type": "days",
"isEnabled": true
}
}
}
6) Run the query (you may have to consent to a couple of things again)
7) Done! You will get a 204 No Content success message and the policy has now been updated
Mar 19 2021 06:04 AM
Mar 19 2021 06:05 AM
Mar 19 2021 12:45 PM
Mar 23 2021 02:00 PM
Mar 24 2021 04:38 AM
Solution@Tomnibus_MedOne Yes, it started working for me as well yesterday, with no intervention required.
In fact, I haven't even heard back from Microsoft Support yet, despite opening the case 6 days ago and sending a chasing email a day or two ago.