query about Multi factor authentication

Question

Hello Team,

I have a query to enforce MFA for the following criteria, I believe its achievable via conditional access policy.

1. Apply MFA when the user configure Outlook/Teams in their device first time. Its for all the device BYOD/mobiles/Tablets,
2. Another requirement is prompt the MFA after 24 hours when they access outlook/Teams. (this will not be immediately implemented but to enforce the higher security in future)

I think it can be done in the conditional access policy , by selecting the users in scope or groups where they are part and to choose the rule device should be compliant and the frequency to some particular hours or days as required.

If this is wrong or if you have better way please suggest a better way

Answer 1

Hey SAGA, you can absolutely do both of these with an Azure AD Conditional Access policy. The trick is to:

1. Target just Outlook/Teams as your “cloud apps”
2. Require MFA as a grant control so the first time a user signs in from any device they’ll get prompted
3. Plug in the “Sign-in frequency” session control so they’ll get re-challenged every 24 hours

Here’s a high-level walkthrough:

1. In the Azure portal go to Azure Active Directory → Security → Conditional Access → New policy
2. Name it something like “MFA for Outlook & Teams – initial + 24 h”
3. Users and groups: select your target users or group
4. Cloud apps: include Exchange Online (and Exchange Online – mobile) and Microsoft Teams
5. Conditions (optional but handy): • Client apps: choose “Mobile apps and desktop clients” (to catch Outlook/Teams on phones/tablets) • Platform: you can pick iOS, Android, Windows, macOS if you only want those
6. Access controls → Grant → Require multi-factor authentication
7. Session controls → Sign-in frequency → set to every 24 hours (this forces MFA again after 24 h)
8. Enable policy

What this does:

• First sign-in from a new device or client = MFA prompt (that covers your “first-time Outlook/Teams setup” ask)
• After that, the Azure AD session cookie and app token remain valid up to 24 hours, then they’ll get another MFA prompt (your “24 h” requirement)

If you also care about device compliance (Intune-enrolled devices vs BYOD), you can add another grant control “Require device to be marked compliant” so corporate-owned devices pass without bringing in Intune.

Let me know if:

• You’re licensed for Azure AD P1 (needed for these Conditional Access/session controls)

• You need to block legacy auth protocols too

• You want any network-location exclusions (e.g. trusted corp VPN)

— Reference links —

• Create a Conditional Access policy that enforces MFA:

https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa

• Sign-in frequency session control:

https://learn.microsoft.com/azure/active-directory/conditional-access/concept-session-controls#sign-in-frequency

• Deep dive on MFA prompts & session lifetimes:

https://learn.microsoft.com/entra/identity/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime

• Require device compliance in Conditional Access:

https://learn.microsoft.com/mem/intune/protect/compliance-policy-create-android

• Block legacy authentication with Conditional Access:

https://learn.microsoft.com/entra/identity/conditional-access/policy-block-legacy-authentication

Answer 2

The requirements are achievable with Microsoft Entra Conditional Access, but not exactly in the way described.

1. Enforce MFA when Outlook/Teams is configured the first time (all BYOD/mobiles/tablets)

Configure a Conditional Access policy that requires MFA for access to Microsoft 365 resources (for example, Exchange Online and Microsoft Teams):

1. In the Microsoft Entra admin center, go to Entra ID > Conditional Access > Policies and create a New policy.
2. Under Assignments:
   • Users or workload identities: include the users or groups that must use MFA.
   • Optionally exclude break-glass/emergency accounts as recommended.
3. Under Target resources (Resources / cloud apps): include All resources or at minimum Exchange Online and Microsoft Teams.
4. Under Access controls > Grant:
   • Select Require multifactor authentication.
   • Set For multiple controls as needed (for this scenario, MFA alone is sufficient if device compliance is not yet required).
5. Set the policy initially to Report-only to validate impact, then switch to On.

With this policy, when a user signs into Outlook or Teams on a device for the first time, Conditional Access will evaluate the sign-in and require MFA before granting access.

If shared Teams devices (common-area phones, hot-desking phones) are in scope, they often cannot complete user-interactive MFA. In that case:

• Use Conditional Access to secure those resource accounts with alternative controls such as known network location or compliant device, instead of user MFA.
• Avoid grouping shared devices with personal devices in policies that require user MFA, because sign-in will fail on shared devices.

2. Prompt MFA again after 24 hours when accessing Outlook/Teams

This requirement is handled via Conditional Access session controls, specifically sign-in frequency. The context provided notes that sign-in frequency can be configured so users must sign in again after a specified time period. To implement a 24‑hour re-prompt for MFA:

• In the same or another Conditional Access policy targeting Outlook/Teams, configure sign-in frequency (under session controls) to 24 hours.
• Ensure shared devices (for example, Teams phones, hot-desking devices) are excluded from sign-in frequency policies, because enforcing frequent reauthentication on resource accounts causes those devices to sign out until an admin signs them in again.

3. Device compliance vs MFA

The proposal to “choose the rule device should be compliant and the frequency to some particular hours or days” mixes two different controls:

• Grant controls like Require device to be marked as compliant and Require multifactor authentication.
• Session controls like sign-in frequency.

A common pattern is:

• For all users and all resources, create a policy that grants access if one of the following is true:
  • MFA is completed, or
  • The device is compliant, or
  • The device is Microsoft Entra hybrid joined.
  This is done by selecting multiple grant controls and choosing Require one of the selected controls.
• Start in Report-only mode, validate, then enable.

For shared Teams devices used for hot-desking:

• Exclude them from compliance policies and sign-in frequency policies.
• Instead, secure them using named locations and, optionally, MFA for the hot-desking user accounts.
• Use Filters for devices (for example, by model or extension attributes) to:
  • Exclude shared devices from policies intended for personal devices (like device compliance requirements).
  • Apply special policies only to shared devices (for example, requiring named locations).

4. Summary design

• Policy A (core MFA/device policy):
  • Users: all standard users (exclude break-glass, shared device resource accounts as needed).
  • Resources: all cloud apps or at least Exchange Online and Teams.
  • Grant: Require multifactor authentication, Require device to be marked as compliant, Require Microsoft Entra hybrid joined device with Require one of the selected controls.
  • Mode: start Report-only, then On.
  • Effect: first-time sign-in to Outlook/Teams on any device will require MFA or a trusted device state.
• Policy B (future higher security – 24‑hour re-prompt):
  • Users: same user set, but exclude shared devices using device filters or groups.
  • Resources: Outlook/Teams (or all resources).
  • Session: configure sign-in frequency to 24 hours.
  • Mode: start Report-only, then On when ready.

This approach uses Conditional Access as intended: MFA and device state as grant controls, and re-prompt timing via sign-in frequency, while keeping shared Teams devices workable by excluding them or using alternative controls.

---

References:

• Require a compliant device, Microsoft Entra hybrid joined device, or multifactor authentication for all users
• Intune and Conditional Access for Teams Phones
• Authentication best practices for Teams phones
• Microsoft-managed Conditional Access policies
• Step 3: Protect your Microsoft 365 user accounts