This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 98%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
How can i force my enterprise application (using SAML auth) to prompt for MFA every time ?
i tried creating a conditional access policy but that did not work .
I found this blurb from 2019 - this seems like the exact same issue . is this still the case 3 years later?
I just don't feel 100% comfortable with there not being a way to enforce 2FA even if the device is hybrid joined and is still within the 14 day Primary Refresh Token window. It feels like with conditional access being an option I should be able to override the token in the event the user attempts to access this specific application.
Is there a way to reset this Primary refresh token .
Azure AD Conditional Access policies are not evaluated when PRTs are issued.
Hello @dirkdigs , you can enforce re-authentication and MFA using User sign-in frequency for the specific application.
Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.
it does not allow me to use the "every time" option
i am using a non-gallery application and the purpose of my app is for remote access vpn .
naturally i prefer to have MFA prompt for All logins .
Is there another way i can accomplish this?
Hello @dirkdigs , apologies for the delay. Currently Require reauthentication every time (preview) supports selected apps (Eg. Microsoft Intune Enrollment) or all apps. You might try with "all apps" adding additional requirements such as device, location, user, groups or others.
@Alfredo Revilla - Senior Freelance SWE, SWA, IAM
Hi , We are noticing that with the sign-in frequency set to 1 Hours that the application will disconnect and request a re-authentication . Now since the application is a VPN software this is not very good. It will disconnect a user in the middle of a working sessions.
Any suggestions?
Any Alternative?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 26%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
@Alfredo Revilla - Senior Freelance SWE, SWA, IAM do you have any news on the availability of the "User sign-in frequency" "every time" option for other apps ?
I have exactly the same case as @dirkdigs : need to require MFA every time for a VPN Azure registered App.
Thank you.
Hello @dirkdigs , the VPN getting disconnected depends on the VPN provider before anything else. What provider is this?
Hello @SanchK , currently there's no update for additional app supported by "every time", however you can let the product team know about your interest posting a new Idea in the Azure Feedack Forum.