This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 17%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBT%3C/text%3E%3C/svg%3E)
I have two Conditional Access Policies. One is to require users to perform MFA for browsers once every day and the other is to require users to perform MFA for mobile and desktop clients, once every 7 days. The issue is that we are being required to perform MFA every day with the 7 day policy, on mobile and desktop clients. The logs even show this. Why are we getting prompted when the sign-in frequency is set to 7 days on desktop and mobile clients?
Thanks!
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Why a difference in policies? Whats the business case for a one day prompt versus 7? That sounds like a recipe for MFA fatigue the browser definition is pretty broad. Do the sign in logs show the daily prompt policy is triggered?
I think I figured out the problem. Looks like we have per-user mfa settings enabled to remember mfa for one day, which is conflicting with the 7 day policy. Found https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime that it is recommended to disable the per user mfa policy and use sign-in frequency on the CA policy instead, or it would create unecessary logins
Have not tested this yet but hoping this solves the issue.
I wanted to check in and see if you were able to resolve this issue?