How to setup MFA sign-in frequency for an app

Question

Users have to do MFA authentication on every change they make within my Azure application. How do I change the sign-in frequency and make it more acceptable for users? Is this controlled at a higher level, as it seems everything I do in the application settings are ignored.

Answer 1

If you are looking to do this, use a Conditional Access for a specific app:

Note: Make sure you always test this with a test group/user to ensure you don't do anything that locks you out.

Configure authentication session management with Conditional Access

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency

Note: "The sign-in frequency setting works with third-party SAML applications and apps that have implemented OAuth2 or OIDC protocols, as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis."

Policy deployment

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-deployment

Policy 1: Sign-in frequency control

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access.
3. Select Create new policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Choose all required conditions for customer’s environment, including the target cloud apps.

Note: It is recommended to set equal authentication prompt frequency for key Microsoft Office apps such as Exchange Online and SharePoint Online for best user experience.

1. Under Access controls > Session.
   1. Select Sign-in frequency.

        1. Choose **Periodic reauthentication** and enter a value of hours or days or select **Every time**.
      

2. Save your policy.

---

If this is helpful please accept answer.