This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 73%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I am currently implementing Azure Conditional Access for a large group of users. Everything looks good, but we are getting complaints that people need to reauthenticate to often. We have configured the "Rememeber MFA" checkbox for 30 days. I would expect that if somebody logs in on device X with this checkbox checked, they would not have to provide a MFA token for the next 30 days; independent of their IP. But it seems that people get MFA challenges when switching a lot from IPs.
Is this correct behaviour? And what is the trigger for requesting a new MFA token? Also, suggestions to "fix" this behaviour?
@Ruben
Yes, change in network triggers MFA even if the user selected to remember it for X number of days . The only option to avoid triggering MFA is by configuring Trusted locations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
If you have configured to use a conditional access with the Location Condition with Any location then it will cause the policy to applied to all IP addresses. Also, changing a location would be detected within an hour of changing the network location for the applications using the modern authentication. Ideally, it is recommended to keep the MFA enabled on location change to block access from untrusted networks and by non legitimate users.
You can exclude specific locations from a policy by defining trusted locations or defining MFA trusted IPs. Please refer to the documentation -
Dear Sashar,
That is clear. However, I can't find this anywhere in the documentation.
Let's assume that we don't use trusted locations. So the person logs in on network A with his phone and checks the remember MFA option. He drives for two hours to another location and goes on the network there. Does he get prompted for MFA on this same device? I would expect not, and I cannot find any documentation regarding this, but if I read your story correctly, after one hour he does need to do the MFA challenge again?
yes the user will be prompted for MFA due to network change.