Users repeatedly prompted for MFA

Nareg Phoenix 0 Reputation points
2023-05-31T14:46:41.7766667+00:00

We have several conditional access policies that require authentication strength:

  • PriviledgeAccounts with sign-in frequency is set to 4 hours.
  • UntrustedLocation with sign-in frequency is set to 4 hours.
  • BannedLocation - Block Access
  • UnknownDevice with sign-in frequency is set to 4 hours.
  • SigninRisk

These CA policies are working perfectly, with one side effect: I need assistance why some are asked 7-9 times a day (same device) to perform the MFA process each time having to connect to every Microsoft application (teams, outlook, SharePoint, power apps, ...) is simply unmanageable for users and a source of confusion.

Additional note here:

  1. The users getting asked the MFA are in a trusted IP that was added in Named Locations.
  2. Remember multi-factor authentication on trusted device is not selected in service settings.
  3. Skip multi-factor authentication for requests from federated users on my intranet is not selected in service settings.

Some of the events/details in sign-in logs:

  1. MFA requirement satisfied by claim in the token.
  2. This is not an error - this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed successfully or failed.

Thanks for your help!

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,092 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,596 questions
{count} votes