cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MFA claim expired - Breaking web apps

Miike
Copper Contributor

‎Aug 17 2023 04:06 PM - edited ‎Aug 17 2023 06:44 PM

‎Aug 17 2023 04:06 PM - edited ‎Aug 17 2023 06:44 PM

MFA claim expired - Breaking web apps

Hi All,

 

Testing:

- Passwordless (Phone Sign-in baseline)

- Sign in Frequency (Shorter than tenant setting)

- Desktops are hybrid, receiving their PRT but no not use WH4B

- Tenant still has Remember Trusted device for X Days enabled

 

I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state.

 

Settings.png

 

Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too. 

 

I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues?

 

Thanks!

1,857 Views
0 Likes
3 Replies
Reply
3 Replies
anday

‎Sep 08 2023 01:33 PM

‎Sep 08 2023 01:33 PM

Re: MFA claim expired - Breaking web apps

I've been seeing this same issue for random individuals. Claim expires and is never renewed and the conditional access policy has been enabled for months with no issues. I also have a support ticket submitted, did you ever receive additional response/resolution?
0 Likes
Reply
Miike

‎Sep 08 2023 02:15 PM

‎Sep 08 2023 02:15 PM

Re: MFA claim expired - Breaking web apps

@anday unfortunately not, still pushing the ticket but nothing meaningful just yet

0 Likes
Reply
allytween

‎Sep 10 2023 04:40 PM

‎Sep 10 2023 04:40 PM

Re: MFA claim expired - Breaking web apps

I've been having the same issue as well. Hybrid - remember trusted devices turned off, persistent browsing turned on, SIF of 14 days. We did narrow down further that attempting to sign in with your 'Connected to Windows' account in the browser pop up gives a failure due to the 'expired' claim, but if you click the 'Use another account' button and then sign in with your account that way, you are able to sign in without any issue.

Notably, when I signed in to my computer using my yubikey, my account was no longer 'expired' for MFA on the device.

We can get around it currently by opening browsers in incognito or by signing out of the Edge browser and back in and choosing the 'Use another account' option. I'm glad I'm not the only person seeing this behaviour. I'll let you know if we get anything useful tomorrow!
0 Likes
Reply