Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,322 questions
Conditional Access MFA and Sign-in Frequency
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 59%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bill Spicer
26
Reputation points
With legacy MFA, you can select x many days to remember a device. Currently we have this set to 24 hours. Users only have to type a password if it expires, they login from an unknown device/browser or inactivity policy signs them out.
When migrating to Conditional Access Policies for MFA the only option to specify a frequency is the Sign-in frequency which requires you to type a password. I'm looking for a way to relax typing of password for trusted devices to a few days but keep requiring MFA every 24 hours. Is there a way to do this? Microsoft needs an MFA frequency.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,191 Reputation points Microsoft Employee2024-05-15T21:40:41.3066667+00:00 Hi @Bill Spicer ,
Are you saying that the users are prompted to enter their passwords even when the Sign-in frequency control should not have prompted them? Could you share a screenshot of your policy settings? What you are describing sounds specific to application or browser behavior. Some apps may not use the existing MFA claim and may require a new one. The behavior may be dependent on how the app is configured or how the browser handles the MFA claim.
-
Bill Spicer 26 Reputation points
2024-09-27T15:52:31.8333333+00:00 Sorry, I am just now seeing this. When you use CA policy to force MFA and require a sign-in frequency of 1 day, users are prompted to sign in which means they must type their password and also complete MFA for each app (Outlook, Teams, Browser). When you move away from legacy MFA, there is no way that I can find to just prompt for MFA every 24 hours without using the sign-in frequency which required a user to type a password. I just want users to be prompted for MFA every 24 hours but I don't want them to have to "Sign-in" (type password) every 24 hours.
Sign in to comment
Sign in to answer