Random MFA prompts from Universal Store Native Client

ppeedu there are two sides to the story (aren't there always 🙂 ).

On the one hand the MFA prompts are 'normal behaviour' based on the CA policies we have set up (they apply to all cloud apps and apparently the universal store native client is considered as one).

This was determined through analysis of the sign-in logs. There's also the refresh token after successful strong auth that plays a part in why you sometimes get the prompt and sometimes you don't (because your refresh token is still valid).

The other thing is, even though it's considered as working as designed, my gripe with this is there is no way to exclude the 'universal store native client' from the ca policies, nor can I find the 'Windows Store for Business' to which the sign-in logs refer and worse, the end user has no idea why they are getting the MFA prompt since they are not actively signing in.

My question on how to tackle this within the scope of ca policies has been forwarded to someone of the product group for the ca service so hoping to get some answers from there to be able to provide a better user experience for our employees.