Conditional policy to force MFA but not password

BP 5 Reputation points
2023-03-31T12:56:15.7966667+00:00

Can a conditional access policy can be setup to NOT prompt for password, and only prompt for MFA based on a duration?

Currently, if session duration is set - the entire authentication process and prompts are forced.

This would be for an 3rd party Enterprise app and not a native Microsoft service.

Thanks,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,841 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Sedat SALMAN 13,180 Reputation points
    2023-04-01T04:16:42.49+00:00

    In Microsoft Azure AD, a Conditional Access policy can be set up to require MFA under certain conditions. However, it is not possible to completely bypass the password prompt and only enforce MFA based on a duration.

    Conditional Access policies are designed to add an additional layer of security on top of the user's password, rather than replacing it. MFA is an extra step to verify a user's identity, and it usually works in conjunction with a password.

    That said, you can create a policy to require MFA under specific conditions, such as when the user is accessing a particular app or when they are connecting from an unfamiliar location. To do this, follow these steps:

    1. Azure Portal > Azure Active Directory > Security > Conditional Access.
    2. "New policy."
    3. Give your policy a name and choose the users or groups you want to apply the policy to.
    4. Under "Cloud apps or actions," select the Enterprise app(s) for which you want to enforce MFA.
    5. Under "Conditions," configure any additional conditions you'd like to apply, such as device state or location.
    6. Under "Grant," select "Grant access," and then check the "Require multi-factor authentication" box.
    7. Set "Enable policy" to "On," and then click "Create" to save your policy.

    Keep in mind that this will still require the user to enter their password before being prompted for MFA. It is important to maintain a balance between security and user experience, and relying solely on MFA without a password might not be the most secure approach.

    0 comments No comments