This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We enforce Azure MFA via conditional access. We would like to only make our users MFA once every 60 days but NOT give them a persistent browser. We still want them to have to sign in every time but just not got MFA'd. Information security is not keen on the idea of persistant browsers and would like to make users at least have to sign in with username/password but ok with no MFA if coming from same browser. Their concern is someone signing into a browser on a shared PC, closing it then another person opens it and has access to all their data because they didnt have to sign in. Our old IDP would allow you to specify the number of days for no MFA. The user would always have to sign in though. Thats what we are having difficulty with doing with Azure. Curious if there is a way I am missing...
Hi
you could use separate Client App policies - so force any Browser-based connections to always require MFA, but then have a separate policy for Mobile Apps and Desktop Clients to only prompt every 60 days?
Hope this helps,
Thanks
Michael Durkan
Sorry should have clarified but this is only for browser based logins, we want to only enforce MFA every 60 days when users sign into any cloud app using a browser, we still want them to have to sign in, but just not get MFA'd until that 60 days timer expires. We were able to achieve this when using legacy per user MFA settings:
But when we moved to enforcing MFA via conditional access, our only option seems to be a persistant browser combined with a sign-in frequency policy. So users would get a persistant browser, meaning they dont have to sign in (thus not getting MFA'd) until the sign in frequency policy kicked in after X amount of days we set, which would force them to sign in again and get MFA.
Ah OK - so you're referring to this:
So if you turn on the Persistent Browser control, it will override or remove the "Stay Signed In" prompt that comes up after after the users complete the MFA experience.
So if possible, can you identify the users who are using the shared devices, add them to a Security Group and apply Sign-In Frequency Policies to those users only?
Thanks
Michael
We can define those users but if we assigned them say a 60 day sign in frequency policy but did not assign them a persistant browser (which we are trying to avoid) what good would that do? If there is no persistance, then every time they close and reopen the browser they will have to sign in, which in turn will trigger MFA.
What we would like to do is every time they close and re-open the browser yes they have to sign in but MFA is not triggered until that 60 days expires. It seems the only way to accomplish this is with a persistent browser combined with a 60 day sign-in frequency policy.