Share via

Persistent MFA for Sensitive Business Applications

Surjeet Singh 65 Reputation points
2025-03-31T02:38:13.8066667+00:00

What are the best practices recommended by Microsoft regarding persistent MFA prompts for users accessing sensitive business applications?

While acknowledging that this approach may introduce some friction, the goal is to enhance security by enabling MFA every time a user logs into a sensitive application as defined by the business.

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,204 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abiola Akinbade 26,900 Reputation points
    2025-03-31T07:11:09.9566667+00:00

    The main recommendation regarding this is to setup Conditional Access Policies. Create a policy targeting specific users or groups as well as specific cloud apps. And under Grants: Require multi-factor authentication.

    Also Group and categorize high security apps

    See links that can guide you here:

    Microsoft Entra recommendation: Minimize MFA prompts from known devices

    Plan a Microsoft Entra multifactor authentication deployment

    Configuring Conditional Access

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    (Please note: If you have Priority Community support please wait for a dedicated Microsoft support representative to assist you, as they have access to the necessary backend resources. If you have not yet opened a support case, we recommend reaching out through the support channel available under your subscription level.)

    Regards,

    Abiola

  2. Harshitha Eligeti 2,590 Reputation points Microsoft External Staff
    2025-04-01T19:12:10.4566667+00:00

    Hello @Surjeet Singh
    As per your queries, I recommend enabling Multi-Factor Authentication (MFA) each time a user logs in to access sensitive resources to enhance security. This can be achieved by setting up Conditional Access policies that enforce MFA for specific users.
    In my view, a standard Conditional Access policy should work in most cases.
    However, if the application you're using is highly sensitive, it may be necessary to adjust the session duration settings by using sign-in frequency and set it for every time in conditional access policy. By shortening the session duration, you can ensure that users are prompted for MFA more frequently, especially for high-security applications. This configuration can be selectively applied to specific applications as needed.

    Access to your Azure Portal and go to Microsoft Entra id > Security > Protect > Conditional Access
    User's image
    NOTE: "Every time" option is evaluated on every sign-in attempt to an application in scope for the policy.
    kindly refer this document for additional information: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime#policy-3-sign-in-frequency-control-every-time-risky-user

    Do let us know if you have any queries. We are happy to assist you further.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.