How to setup MFA sign-in frequency for an app

Adriaan van Wijk 0 Reputation points
2023-09-07T17:52:09.9766667+00:00

Users have to do MFA authentication on every change they make within my Azure application. How do I change the sign-in frequency and make it more acceptable for users? Is this controlled at a higher level, as it seems everything I do in the application settings are ignored.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,517 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Dillon Silzer 56,201 Reputation points
    2023-09-08T06:28:33.94+00:00

    If you are looking to do this, use a Conditional Access for a specific app:

    Note: Make sure you always test this with a test group/user to ensure you don't do anything that locks you out.

    Configure authentication session management with Conditional Access

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency

    Note: "The sign-in frequency setting works with third-party SAML applications and apps that have implemented OAuth2 or OIDC protocols, as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis."

    Policy deployment

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-deployment

    Policy 1: Sign-in frequency control

    1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
    2. Browse to Protection > Conditional Access.
    3. Select Create new policy.
    4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
    5. Choose all required conditions for customer’s environment, including the target cloud apps.

    Note: It is recommended to set equal authentication prompt frequency for key Microsoft Office apps such as Exchange Online and SharePoint Online for best user experience.

    1. Under Access controls > Session.
      1. Select Sign-in frequency.
          1. Choose **Periodic reauthentication** and enter a value of hours or days or select **Every time**.
        
    2. Save your policy.

    Conditional Access policy configured for sign-in frequency


    If this is helpful please accept answer.