Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
9,173 questions
Users repeatedly prompted for MFA
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 52%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Nareg Phoenix
0
Reputation points
We have several conditional access policies that require authentication strength:
- PriviledgeAccounts with sign-in frequency is set to 4 hours.
- UntrustedLocation with sign-in frequency is set to 4 hours.
- BannedLocation - Block Access
- UnknownDevice with sign-in frequency is set to 4 hours.
- SigninRisk
These CA policies are working perfectly, with one side effect: I need assistance why some are asked 7-9 times a day (same device) to perform the MFA process each time having to connect to every Microsoft application (teams, outlook, SharePoint, power apps, ...) is simply unmanageable for users and a source of confusion.
Additional note here:
- The users getting asked the MFA are in a trusted IP that was added in Named Locations.
- Remember multi-factor authentication on trusted device is not selected in service settings.
- Skip multi-factor authentication for requests from federated users on my intranet is not selected in service settings.
Some of the events/details in sign-in logs:
- MFA requirement satisfied by claim in the token.
- This is not an error - this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed successfully or failed.
Thanks for your help!
Microsoft Authenticator
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
25,048 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 20,901 Reputation points Microsoft Employee Moderator2023-06-01T08:54:36.4833333+00:00 I am looking into this issue and will revert back to you post my research
-
Nareg Phoenix 0 Reputation points
2023-06-01T10:12:18.4033333+00:00 Thank you @Sandeep G-MSFT ,waiting for your feedback.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 0%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Sridevi Konada System Admin 0 Reputation points2023-06-01T20:20:52.6766667+00:00 We are getting the same issue. Please let us know what is the solution to this issue
-
Sandeep G-MSFT 20,901 Reputation points Microsoft Employee Moderator
2023-06-06T06:43:54.9+00:00 Let's try to work on this issue offline as it needs some deeper investigation by looking at your configuration.
Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:
Link to this thread/post
We can connect offline and discuss further on this.
Sign in to comment
Sign in to answer