This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 53%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDN%3C/text%3E%3C/svg%3E)
We are moving are security to Privilege Identity Management and would like to force MFA when someone activates a role. The option is there see attachment but it does not work. If the user has already authenticated with MFA it will not force them to authenticate again.
Any help or suggestions here?
Hi,
Checkout the Conditional Access policy timeout frequency and persistent browser settings, explore that section - howto-conditional-access-session-lifetime
concepts-azure-multi-factor-authentication-prompts-session-lifetime
==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
If the user has already succeeded an MFA challenge, the relevant claims will be stamped within the access token and honored by PIM and other services, so this is expected. If your idea is to always force MFA, there's no good solution currently - best wait for PIM to support authentication context.
If I implement CA policy there is no way to tie that to PIM activation right? The only option would be limiting MFA session of admins?
Thanks
David