Share via

Frequent MFA Requests

ca 20 Reputation points
2025-04-02T22:28:16.8866667+00:00

We are using conditional access policies to enforce MFA for groups in EntraID. Some users experience frequent MFA requests even when they do not close their browser. One user I am troubleshooting was prompted 8 times in two days without closing the browser.

In order to save a policy with 'Persistent Browser Session' box checked and set to 'Always Persistent' you must have configured Target Resources to all; otherwise Entra will give error. However, all our users must have an exclusion filter for our JamfConnect Application to work properly.

I would like to have sessions be persistent, but if I do not exclude the JamfConnect application it will not work properly.... I'm looking for a policy or combination of policies that will accomplish both things

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Anonymous
2025-04-08T21:13:11.42+00:00

Hello ca

As we discussed over the call want to configure the policy regarding the persistent browser for JAMF application.

  1. Require TAP for MFA Registration from Untrusted Network
  2. All Apps Persistent Browser

3.Require MFA for Employees

Require TAP for MFA Registration from Untrusted Network:
when the users come from untrusted network it will prompt for MFA if the users come from trusted network, it will not prompt for MFA.
1.Select the users or Groups
2.select the targeted resource
3. Exclude the trusted network from the policy
4. In grant control select the Required MFA.

**All Apps Persistent Browser
**
when the user accesses the JAMF application the browser should remain session, or it should not ask the reenforce the users for MFA again.

1.Select the users or Groups
2.select the targeted resource (JAMF application)

3.In grant controls select the browser Persistent to always.

Note: After creating the policy ensure you are clearing the browser caches and cookies.

3.Require MFA for Employees

Users need to enforce to register the MFA.
1.Select the users or Groups
2.select the targeted resource
3 In grant control select the Required MFA.

Hope this helps. Do let us know if you have any further queries.

 

If this answers your query, do click `Accept Answer` and `Yes'

Was this answer helpful?

0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ashok M 6,876 Reputation points
    2025-04-03T05:49:11.8833333+00:00

    Hi,

    You can create 2 conditional access policies like below and test it.

    1. Inclusion (All Users) - Targeted app (All cloud apps) - Excluded app (Jamf) - session (default)
    2. Inclusion (All Users) - Targeted app (Jamf) - session (persistent)

    Conditional Access Policies act independently and will not interfere with each other. Expected outcome is session to be persistent when accessing Jamf and default for rest of the cloud apps.

    Suggest to create a security group and apply these policies. 'WhatIf' option can also be used to validate the CA's being applied. Also, verify the sign-in frequency for frequent MFA requests.

    If the above suggestion helps, please click on 'Accept answer' and 'upvote' it.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.