Azure AD Conditional access

Question

Azure AD Conditional access

robcool 116

I have conditional access policy set to challenge users for MFA.

However, they aren't prompted and moreover when I check the sign-in logs it shows "Success" for that CA policy with additional message saying "MFA requirement satisfied by claim in the token"

Can someone please confirm what could be the issue here ? Why is the MFA token retained and users not challenged for second factor ?

Dillon Silzer 57,826 Reputation points Volunteer Moderator

2022-09-28T03:48:49.33+00:00

Can you take a screenshot + provide all configuration for your Conditional Access Policy please?
robcool 116 Reputation points

2022-09-28T04:04:55.7+00:00
Hi @Dillon Silzer
The conditional access policy basically contains the following configuration:

User > All users inclusion with exclusion for breakglass

Apps > One cloud app has been selected

Conditions > Client Apps (Modern and browser)

Grant conditions > Require MFA

I have analysed the sign-in logs and looks like when the users connect to Azure joined device they are challenged for MFA and subsequently when they access the cloud app the above CA policy is triggered however, it identifies an active MFA token and doesn't prompt user for challenge.

In this case, can you please confirm for how long the MFA tokens are valid ? In last three hours, user has accessed the cloud app twice via joined device and both the times the CA policy shows success with additional message saying "MFA requirement satisfied by claim in the token".

How can I get the user to be challenged for MFA ? Does it mean I need to set sign-in frequency under session control ?

2 answers

Your answer

Dillon Silzer 57,826 Reputation points Volunteer Moderator

2022-09-28T03:48:49.33+00:00

Can you take a screenshot + provide all configuration for your Conditional Access Policy please?
robcool 116 Reputation points

2022-09-28T04:04:55.7+00:00

Hi @Dillon Silzer
The conditional access policy basically contains the following configuration:

User > All users inclusion with exclusion for breakglass

Apps > One cloud app has been selected

Conditions > Client Apps (Modern and browser)

Grant conditions > Require MFA

I have analysed the sign-in logs and looks like when the users connect to Azure joined device they are challenged for MFA and subsequently when they access the cloud app the above CA policy is triggered however, it identifies an active MFA token and doesn't prompt user for challenge.

In this case, can you please confirm for how long the MFA tokens are valid ? In last three hours, user has accessed the cloud app twice via joined device and both the times the CA policy shows success with additional message saying "MFA requirement satisfied by claim in the token".

How can I get the user to be challenged for MFA ? Does it mean I need to set sign-in frequency under session control ?

Answer 1

Dillon Silzer 57,826 Volunteer Moderator

Hi @robcool

If you want to be frequently challenging them you can set a session timeout Conditional Access Policy:

Policy 1: Sign-in frequency control

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-1-sign-in-frequency-control

--------------------------------

If this is helpful please accept answer.

robcool 116 Reputation points

2022-09-28T04:50:38.903+00:00

Hi @Dillon Silzer

Can you please confirm as to how long the MFA token is valid for ?

Thanks.

Answer 2

Vasil Michev 119.5K MVP Volunteer Moderator

How exactly is the user authenticating? There are scenarios, such as when logging in from a Azure AD joined device via PRT, where MFA requirements are automatically satisfied. Read for example here: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim
Some federation scenarios count as well.

Share via

Azure AD Conditional access

2 answers

Your answer