Azure AD conditional access with MFA (Duo) - able to byass MFA

Paul W. Specht 1 Reputation point
2023-01-17T14:17:46.05+00:00

I have the Office 365 app as the select app.

Users is just myself and two other IT staff

Conditions are set for Android, iOS

Grant access and use Duo MFA

I then set up Session for 1 hour sign in frequency.

But my tests do not force me to re-auth.

Am I missing something.

If I ignore the log in prompt for the mobile client, I can still use the app!!

I used these for reference

https://help.duo.com/s/article/3813?language=en_US

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 157.6K Reputation points MVP Volunteer Moderator
    2023-01-17T15:10:12.66+00:00

    Does this appy?

    Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. If "Remember MFA on trusted devices" is enabled, be sure to disable it before using Sign-in frequency, as using these two settings together may lead to prompting users unexpectedly. To learn more about reauthentication prompts and session lifetime, see the article, Optimize reauthentication prompts and understand session lifetime for Azure AD Multifactor Authentication.

    0 comments No comments

  2. Paul W. Specht 1 Reputation point
    2023-01-17T16:04:10.47+00:00

    Andy,

    Our Duo global policy allows users to remember devices for 30 days. I created an application policy for the specific O365 app in Dou to disable that.Screenshot 2023-01-17 110235

    Ill take a look at your article. Thank you

    0 comments No comments

  3. Paul W. Specht 1 Reputation point
    2023-01-17T20:50:33.3966667+00:00

    Per the article

    Recommended settings

    To give your users the right balance of security and ease of use by asking them to sign in at the right frequency, we recommend the following configurations:

    If you have Azure AD Premium: (We have P1)

    If reauthentication is required, use a Conditional Access sign-in frequency policy.

    For users that sign in from non-managed devices or mobile device scenarios, persistent browser sessions may not be preferable, or you might use Conditional Access to enable persistent browser sessions with sign-in frequency policies. Limit the duration to an appropriate time based on the sign-in risk, where a user with less risk has a longer session duration.

    I am doing both.

    Shouldnt Conditional Access policies override Azure AD session lifetime options?

    Also in the article

    To configure or review the Remain signed-in option, complete the following steps:

    1. In the Azure AD portal, search for and select Azure Active Directory.
    2. Select Company Branding, then for each locale, choose Show option to remain signed in.
    3. Choose Yes, then select Save.

    These settings are not in my Company Branding section

    I have attached a screen shot of our remember multi-factor auth settings from here

    To remember multifactor authentication settings on trusted devices, complete the following steps:

    1. In the Azure AD portal, search for and select Azure Active Directory.
    2. Select Security, then MFA.
    3. Under Configure, select Additional cloud-based MFA settings.
    4. In the Multi-factor authentication service settings page, scroll to remember multi-factor authentication settings. Disable the setting by unchecking the checkbox.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.