Outlook
A family of Microsoft email and calendar products.
3,010 questions
Wonder if CAE is involved with the change in IP address when a user moves location:
Prevent constant MFA requests for hybrid workforce
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 47%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Chad Brosseau
0
Reputation points
Hello,
Most of our users are hybrid, working remotely via VPN and locally in office. Regardless of our 30-day MFA policy, our users are prompted for MFA every few days if they move locations between working at home and at the office.
We are a non-profit healthcare organization of 600 staff, using primarily Office E3 & Azure P1, Exchange in the cloud, and local AD sync. I cannot for the life of me determine what policies I need to adjust to get consistent results from MFA. 30 days should be 30 days. Employee devices are laptops with domain accounts- nothing is being wiped or reset.
If there is some special Conditional Access magic that I am missing, I am all ears- but the current state of this is unsustainable.
Thank you,
CB
Outlook
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,899 questions
Office Management
Office Management
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Management: The act or process of organizing, handling, directing or controlling something.
2,010 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,569 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 49%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
LiweiTian-MSFT 14,615 Reputation points Microsoft Vendor2024-04-29T07:24:35.57+00:00 Hi,
Teams tag is mainly focused on the general issue of Microsoft Teams troubleshooting. According to your description, your question is not in our support scope. So, we will remove teams tag from your thread. Thanks for your understanding and patience!
Sign in to comment
2 answers
Sort by: Most helpful
-
Andy David - MVP 142.2K Reputation points MVP2024-04-24T16:25:14.19+00:00 -
Chad Brosseau 0 Reputation points
2024-04-25T13:19:04.5366667+00:00 Thank you! I think this is a good direction- somewhat of a rabbit hole for my network admin to configure... however, looking at the token lifetime defaults when not using Conditional Access for token policy, Microsoft has allowed 90 days for refresh tokens, and "until revoked" for MFA session tokens. It does mention that "non-persistent session tokens have a Max Inactive Time of 24 hours" which may have some implications here. I feel there must be a simpler way to troubleshoot and adjust this- I can't imagine we are the only agency experiencing it.
Sign in to comment -
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points2024-04-25T07:36:46.61+00:00 Use the Microsoft Entra sign-ins report. This report shows authentication details for events when a user is prompted for multifactor authentication, and if any Conditional Access policies were in use: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-reporting#view-the-microsoft-entra-sign-ins-report
-
Chad Brosseau 0 Reputation points
2024-04-25T13:33:57.94+00:00 Thanks Alfredo, but I am familiar with the sign-ins report. I can always see when there is MFA called and a primary refresh token issued, but it does nothing to allude to why it was prompted or reasoning behind its periodicity.
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points
2024-04-25T15:08:39.1966667+00:00 So it's not CA. Can you detail your VPN/network setup/authentication flow? What, how, where, when?
-
Chad Brosseau 0 Reputation points
2024-04-29T12:19:47.2866667+00:00 Sure, VPN provided by a mix of AnyConnect and CMAK profiles, local LAN via VPN meshed Cisco Meraki between sites. MFA environment is through Azure, which is set to 30 days at the moment. Staff use VPN when at home, and use a local secure VLAN when at the office. Authentication works, but it seems when we change both of 1. IP (when moving home from office) AND 2. switching off and on VPN, the MFA prompts happen every few days.
Sign in to comment -