This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 89%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
We're a little slow off the mark but we're rolling out MFA to our users. We've enabled MFA for around 50 users (ie: using User MFA, not CA policy) to test the waters. We have also enabled 'trusted devices (ie: the 'Allow users to remember multi-factor authentication on devices they trust') with a value of 90 days. This appears to be working well for half the users, however, the other half are prompted daily for MFA authentication. This only appears to happen when opening desktop apps such as Teams. This doesn't seem to be the case for web based apps such as outlook.office365.com. My understanding is web based apps use cookies and desktop apps use refresh tokens when it comes to MFA session timeouts etc. Where are the refresh tokens stored, is it possible these are being purged upon reboot? All 50 users have Windows 10 devices (recent builds) which are Hybrid AAD joined. Any thoughts why some users are prompted for MFA daily and others aren't, there's no obvious pattern?
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi James,
Thanks for the reply and the link.
As mentioned in my original post the issue only appears to be effecting some users and only for desk applications (ie: Teams, OneDrive, etc) but not browser apps. We have the 'Allow users to remember multi-factor authentications on devices they trust' enabled and set for 90 days. The problematic users appear to be prompted most day when first opening the Teams app or OneDrive app. All users have Hybrid joined Windows 10 devices.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Did you ever get this resolved? We have the exact same problem - redundant MFA prompts for O365 desktop apps for some users despite a setting to remember for 90 days. Users report the same as yours did - prompts when opening the apps after booting up. All users are hybrid domain joined Win10 endpoints.
Sorry, we never found a fix for this. All the company workstations were on a lease and were replaced shortly after I posted this. Rather than hybrid joining the new workstations we Autopilot them and Azure AD Joined them. Nobody had any issues after this so my gut feeling was the issue was related to either; Hybrid Join or a user profile problem (we redirected some parts of the users profile).