Set conditional policy to prompt MFA only when detected user password change recently

Raymond Ha 20 Reputation points
2023-09-07T03:24:36.4933333+00:00

Hi, i have one unique use case here: my super VIPs user INSISTS not to use MFA prompt all the time so now we were forced to customize one conditional policy to only prompt MFA when his password expired (we are ADFS on way syn to AzureAD) .

The logic will be : he/she will not getting any MFA prompt each time but only prompt after 30 or 60 days AD password changed. Is this possible? TQ

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,590 questions
0 comments
Accepted answer
  1. Harpreet Singh Matharoo 5,721 Reputation points Microsoft Employee
    2023-09-07T04:42:09.0766667+00:00

    Hello @Raymond Ha ,

    Thank you for reaching out. I would like to confirm that the logic you have described to prompt for MFA when AD Password is changed would not be possible to set using Azure AD Conditional Access Policy. Since Conditional Access Policy does not evaluate Last Password Change Timestamp attribute or Password Age to prompt for MFA or any other control.

    You can instead use Sign-In Frequency force an MFA prompt every 30 or 60 days. Sign-In Frequency Documentation: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

    I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest