In Microsoft Azure AD, a Conditional Access policy can be set up to require MFA under certain conditions. However, it is not possible to completely bypass the password prompt and only enforce MFA based on a duration.
Conditional Access policies are designed to add an additional layer of security on top of the user's password, rather than replacing it. MFA is an extra step to verify a user's identity, and it usually works in conjunction with a password.
That said, you can create a policy to require MFA under specific conditions, such as when the user is accessing a particular app or when they are connecting from an unfamiliar location. To do this, follow these steps:
- Azure Portal > Azure Active Directory > Security > Conditional Access.
- "New policy."
- Give your policy a name and choose the users or groups you want to apply the policy to.
- Under "Cloud apps or actions," select the Enterprise app(s) for which you want to enforce MFA.
- Under "Conditions," configure any additional conditions you'd like to apply, such as device state or location.
- Under "Grant," select "Grant access," and then check the "Require multi-factor authentication" box.
- Set "Enable policy" to "On," and then click "Create" to save your policy.
Keep in mind that this will still require the user to enter their password before being prompted for MFA. It is important to maintain a balance between security and user experience, and relying solely on MFA without a password might not be the most secure approach.