This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 93%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We are creating an app for our customers. We have created an External ID Tenant for our customers to live in. We have set everything up and things are working as expected for the customers.
I am struggling with the right settings for our employees to log in and manage/administrate inside the application. They currently have to MFA in twice when logging into this app using the same page that our customers use to log in. I have added these users as guests in the External ID tenant so that they can use the same credentials as our Work-Force tenant. This works, but as I said, they MFA in twice. Once for our Work-Force tenant, and once for the External ID tenant.
I do have a conditional access policy set up to force MFA on anyone who has admin access to the External ID tenant, but when logging into our application, you have to MFA in EVERY time. When logging into Azure, it's very different. It seems to cache that I'm logged in, and/or cache that I've previously passed MFA and doesn't require it again.
I have multiple questions:
How can I stop having 2 MFA prompts every time an employee/admin logs into our application and keep things secure. I assume I could disable MFA on external guest accounts to get rid of one MFA prompt. My concern is that there is a way to directly log into the External ID tenant and bypass our Work-Force tenant which requires the MFA.
Is there a way to disable MFA from my Work-Force tenant when logging into the app registered in the External ID tenant?
Why is the app not operating like Azure Authentication. Shouldn't it keep my session open just like Azure does unless I log out or time out? Why does it not remember that I've previously satisfied MFA from my location.
Is this something a developer needs to look at?
I'm open to other suggestions as well to accomplish this. We are trying to avoid our tech support staff and other admins from having to MFA in twice when they access the admin section of this application.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Hi @rosskoes05
Thank you for reaching Microsoft Q&A.
If I understand correctly, your users are getting multiple MFA prompts when logging into applications.
A user might see multiple MFA prompts on a device that doesn't have an identity in Microsoft Entra ID. Multiple prompts result when each application has its own OAuth Refresh Token that isn't shared with other client apps. In this scenario, MFA prompts multiple times as each application requests an OAuth Refresh Token to be validated with MFA.
For more information I suggest you please go through Microsoft Entra session lifetime configuration settings
Also please refer the thread which is similar to your issue. https://techcommunity.microsoft.com/t5/microsoft-365/preventing-multiple-mfa-checks-for-office-365-users/m-p/260066
Hope this helps. Do let us know if you any further queries by responding in the comments section.
Thanks,
Akhilesh.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hi @rosskoes05
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
I've made some changes and am waiting to see how things work.
I discovered that I wasn't paying close enough attention. I wasn't getting 2 MFA prompts. One of the prompts was passwordless sign in. We then get a MFA request when logging into external ID.
Thanks