Set conditional policy to prompt MFA only when detected user password change recently

Raymond Ha How Sung 20 Reputation points
2023-09-07T03:24:36.4933333+00:00

Hi, i have one unique use case here: my super VIPs user INSISTS not to use MFA prompt all the time so now we were forced to customize one conditional policy to only prompt MFA when his password expired (we are ADFS on way syn to AzureAD) .

The logic will be : he/she will not getting any MFA prompt each time but only prompt after 30 or 60 days AD password changed. Is this possible? TQ

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,451 questions
0 comments No comments
{count} votes

Accepted answer
  1. Harpreet Singh Matharoo 8,136 Reputation points Microsoft Employee
    2023-09-07T04:42:09.0766667+00:00

    Hello @Raymond Ha How Sung ,

    Thank you for reaching out. I would like to confirm that the logic you have described to prompt for MFA when AD Password is changed would not be possible to set using Azure AD Conditional Access Policy. Since Conditional Access Policy does not evaluate Last Password Change Timestamp attribute or Password Age to prompt for MFA or any other control.

    You can instead use Sign-In Frequency force an MFA prompt every 30 or 60 days. Sign-In Frequency Documentation: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

    I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.