9,679 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 80%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Thank you for posting your query.
From above description and screenshot I could understand that why end user is able to sign in via SSO when MFA is enforced.
Please do correct me if there is any discrepancy in my understanding by responding in the comments section.
The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days, this means user will be prompted to reauthenticated after 90 days.
In Office clients, the default time period is a rolling window of 90 days. With this default Office configuration, if the user has reset their password or there has been inactivity of over 90 days, the user is required to reauthenticate with all required factors (first and second factor).
MFA is triggered only when user would be prompted for authentication, if session is not expired (due to rolling session), MFA would not be initiated.
Solution:
To control the user sign-in frequency and ensure user is prompted for MFA more frequently, you must configure a Sign-in frequency control or Sign-in frequency control every time risky user
Please do let me know if you have any further queries.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.