MFA every 24 hours without a sign-in

Bill Spicer 21 Reputation points
2024-09-27T13:04:55.0333333+00:00

We currently have legacy MFA still enabled where we remember devices x number of days. Currently this is set to 1 day so our users are prompted for MFA every 24 hours. We get tons of complaints about this frequency but with today's phishing and token stealing, we wanted to reduce that window. We have since added additional policies to reduce those risks but we still want 24 hour MFA. We have setup a conditional access policy to force MFA for all users but there is no setting to require just MFA every 24 hours other then selecting sign-in frequency which forces the user to type their password and complete MFA. I also noticed with testing this , your are forced to type password for every app (Outlook, Teams, Browser) every 24 hours which our users will not like. You would think satisfying one app would satisfy the other. We have almost completed implementing compliant devices in Intune and have policies setup to restrict access to those devices and I know Microsoft used to suggest relaxing MFA but I don't feel we should. I'm hoping there is a way to simulate the legacy MFA using CA policies to only require MFA x number of days and then force a sign-in less frequent. How are you all working through this change?

Microsoft Entra
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Clément BETACORNE 2,266 Reputation points
    2024-09-27T13:38:02.58+00:00

    Hello,

    On my side most of the company I worked with are using M365 E5 licenses which means they require MFA based on user risk level. For the others companies they require MFA based on user location.

    Regards,

    Clément

    0 comments No comments

  2. Bill Spicer 21 Reputation points
    2024-09-27T13:43:20.16+00:00

    Thanks for the reply. We do have a CA policy that forces MFA for medium and high risks as well but we have seen issues where the sign-in attempts from bad actors are not flagged as risky. We have reported several false negatives to MS. Just looking for daily MFA without requiring a user to sign-in (type password). Thanks

    0 comments No comments

  3. Philippe Levesque 5,796 Reputation points
    2024-09-27T15:18:04.5233333+00:00

    Hi

    Location and risk management for the MFA do the job for me. In the minimum you need atleast Entra P2 to have theses options.

    0 comments No comments

  4. Clément BETACORNE 2,266 Reputation points
    2024-10-02T11:16:45.2466667+00:00

    Hi,

    In that case maybe you should go for a passwordless strategy and use FIDO or Windows Hello For Business.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.