This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 51%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEC%3C/text%3E%3C/svg%3E)
We are using Azure AD for SSO and MFA, which is enforced with conditional access policies.
Sometimes, a user will login to their computer and get a single MFA prompt when accessing an application. After the first MFA prompt is satisfied, all other applications are signed in without additional prompts for MFA. When I review the sign in logs, you can see in the authentication details it says "previously satisfied". But then there are other applications that are prompting for MFA, when the MFA should already be satisfied. These applications are all subject to the same conditional access policy, so I am unclear as to why some apps are prompting for MFA and others aren't.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 44%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGR%3C/text%3E%3C/svg%3E)
I don't think you will get a real answer to that.
Microsoft won't share when and why they trigger an MFA prompt as they don't want to reveal it to potential abuse.
When CA thinks the traffic is suspicious (or time between last MFA, etc) is too long it will prompt for MFA again.
When that happens, what do the sign in logs show?
For the user in question, I will see several entries in the sign in log after they login to their computer and start opening applications. All of the events are hitting the exact same conditional access policy. Most of the applications are signing in without prompting for MFA - in the sign in logs it says "previously satisfied".
Other apps in the sign in logs are showing that they are prompting the user for MFA, when it really should say "previously satisfied", like all the other apps do.
I'm unclear as to why some applications do this and others don't.
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 72%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Right now we have a similar issue, but it's only one specific third party app and one specific user. User is prompted for MFA every time the user logs in to the app, however for every other app the auth method is previously satisfied. I have revoked the users sessions but to no avail.
Well, I guess that depends on the other conditions not being satisfied - are there MFA requirements for network location or the apps they are using exempted or device compliance for example? Or are the users accessing with a different device or incognito, etc...
Can you reproduce this?
The conditional access policy is the exact same for all the apps that this user was accessing. The conditions have not changed. The first 3 apps sign in with no issue, and then randomly the 4th one prompts for MFA. It's the same device, same location, same user.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Emmett Carey ,
Is your user on a VPN within a trusted network? The VPN could be disconnecting and dropping to the user's own ISP IP, which may trigger the MFA. If you check the browser logs you may be able to get more hints.
Since the same conditional access policy is being applied and the MFA requirement shows "previously satisfied", it's possible that the PRT with an MFA claim has been used. This could be legitimate, or the account could be getting flagged for a token theft issue. Do you see anything suspicious on the account logs?
Since it's hard to know for certain without seeing your specific policies, feel free to reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, and I will gladly enable a support case for you to look into this scenario.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.