Share via

How do I stop multiple MFA prompts being triggered by start up apps?

Jude Cosh-Wood 70 Reputation points
2024-07-30T11:42:05.2933333+00:00

Our organisation uses SharePoint for intranet and has this and Microsoft Teams automatically start, each of these triggers an MFA prompt. We are also testing a move from LDAP to SAML for our VPN, which also triggers an MFA prompt. This isn't a very good user experience, particularly for people who don't have additional screens as the prompts hide behind each other.

I'd really appreciate suggestions regarding how we could remove the additional prompts so the user is only asked to MFA once per device / session.

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,766 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 6,445 Reputation points Microsoft Vendor
    2024-08-01T18:45:17.46+00:00

    Hello @Jude Cosh-Wood,

    Thank you for posting your query on Microsoft Q&A.

    From your description, it seems that your organization’s users are experiencing multiple MFA prompts when accessing Microsoft Teams and SharePoint for intranet sites upon startup.

    Given the policy details you shared, I see that you have set the sign-in frequency to 12 hours in your conditional access policy. Multiple MFA prompts can occur when the "Sign-in Frequency" and "Remember MFA on trusted devices" settings are enabled in your tenant. For more information, please refer to the document on Configuring authentication session controls

    User's image Since multiple MFA prompts are not expected behavior, please check whether the "Remember MFA on trusted devices" setting is enabled. You can verify this by navigating to Microsoft Entra ID >> Users >> Per-User MFA >> Service Settings, or by logging into this page: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx

    User's image

    If "Remember MFA on trusted devices" is enabled, try disabling it and observe if the issue persists.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.
  2. Andy David - MVP 147.9K Reputation points MVP
    2024-07-30T17:30:17.9366667+00:00

    Well generally, you would get one only prompt but it all depends on how MFA is being enforced and if the app supports it. VPN apps you would always want a MFA prompt I would think, but the office apps should only require one MFA prompt between them.

    However, I dont know how you have things enabled and if you are using Conditional Access etc...

  3. Andy David - MVP 147.9K Reputation points MVP
    2024-08-01T18:54:01.54+00:00

    Yea but why require the 12 hours then? That would mean users are prompted twice a day perhaps or at least every AM when they come in.

    Is there a business requirement for that?

    It important to consider that Office apps leverage CAE so you can use that to your advantage and not require session timeouts.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation

    When you look at the Azure sign in logs, do the prompts correspond with that session timeout?

    I would consider disabling the session timeouts ( Start with a test group) and see how that goes.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.