Hello,
On my side most of the company I worked with are using M365 E5 licenses which means they require MFA based on user risk level. For the others companies they require MFA based on user location.
Regards,
Clément
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We currently have legacy MFA still enabled where we remember devices x number of days. Currently this is set to 1 day so our users are prompted for MFA every 24 hours. We get tons of complaints about this frequency but with today's phishing and token stealing, we wanted to reduce that window. We have since added additional policies to reduce those risks but we still want 24 hour MFA. We have setup a conditional access policy to force MFA for all users but there is no setting to require just MFA every 24 hours other then selecting sign-in frequency which forces the user to type their password and complete MFA. I also noticed with testing this , your are forced to type password for every app (Outlook, Teams, Browser) every 24 hours which our users will not like. You would think satisfying one app would satisfy the other. We have almost completed implementing compliant devices in Intune and have policies setup to restrict access to those devices and I know Microsoft used to suggest relaxing MFA but I don't feel we should. I'm hoping there is a way to simulate the legacy MFA using CA policies to only require MFA x number of days and then force a sign-in less frequent. How are you all working through this change?
Hello,
On my side most of the company I worked with are using M365 E5 licenses which means they require MFA based on user risk level. For the others companies they require MFA based on user location.
Regards,
Clément
Thanks for the reply. We do have a CA policy that forces MFA for medium and high risks as well but we have seen issues where the sign-in attempts from bad actors are not flagged as risky. We have reported several false negatives to MS. Just looking for daily MFA without requiring a user to sign-in (type password). Thanks
Hi
Location and risk management for the MFA do the job for me. In the minimum you need atleast Entra P2 to have theses options.
Hi,
In that case maybe you should go for a passwordless strategy and use FIDO or Windows Hello For Business.