Conditional Access Policy for Duo Sign in Frequency Not Consisten

Daniel Cumming 5 Reputation points
2023-11-16T20:51:55.52+00:00

We have implemented Duo. I have a conditional access policy setup so that users are prompted to authenticate through Duo when logging into 365. I have the sign in frequency set to 5 days, which means that users have to authenticate every 5 days. I have one user that is being asked sometimes multiple times a day to authenticate. It may go a few weeks working as expected, and other times she is being asked to authenicate more frequently than 5 days. I've contacted Duo support but since it is a conditional access policy, they told me it's a Microsoft issue. This seems to be working as epected for other users. Is there a reason why this would happen for one person?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,538 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Fabio Andrade 1,665 Reputation points Microsoft Employee
    2023-11-17T00:22:53.7333333+00:00

    Hi @Daniel Cumming

    Thanks for reaching out to Microsoft Q&A

    I understand that the trigger for the MFA to be prompted is the Conditional Access, but besides the fact that this feature is still in Preview, it also has some limitations.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/controls#known-limitations

    User's image

    There are some reasons why you are seeing this behavior, and considering that M365 apps uses Oauth as an authorization protocol, which means that it works with refresh tokens concept, one of the reasons why most users do not have the problem might be because they have a PRT (Primary Refresh Token) and the non-working user might not have it.

    https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

    If that's not the case, I'd suggest you look closer to the failing user's sign in logs and try to identify any patterns that are different from the users that are working as expected.

    Thanks,

    Fabio


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.