Share via

MFA questions

Anonymous
2019-02-06T12:08:26+00:00

Hi all,

is it possible to force MFA once a week for a single/multiple user?

In MFA service setting, there is an option to allow user to remember and not ask for MFA in certain amount of time: 

https://docs.microsoft.com/nb-no/azure/active-directory/authentication/howto-mfa-mfasettings#suspend-multi-factor-authentication-for-remembered-devices-and-browsers-public-preview

If we enable this, and user does not thick for option to remember, then i guess it doesnt force MFA on that device again?

Are there other ways this can be enabled?

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2019-02-06T15:29:40+00:00

Hi Off2w0rk,

According to my research, once the Office 365 client is authenticated with MFA, you will receive a access token and a refresh token to be able access Office 365 services . The access token is only valid for an hour and then the refresh token is used to obtain a new access token if the initial authentication is still valid.

The Refresh token is valid for 14 days by default but if you are continuously using your mailbox during this period it can last up to 90 days.

So it could be you are not asked for Multi-factor authentication again for up to 90 days in Outlook.

Things that could force you to re-authenticate:

1.       If you sign in and out again in Office clients

2.       Don't login for 14 days on that device

3.       Change your password

4.       Administrators can apply conditional policies to restrict the resource the user is trying to access

5.       Swap between Office 365 accounts

And as far as I know, it is infeasible to force MFA once a week in Office 365, while I totally understand your concern to have this feature included. I suggest you submit your ideas via the following link:

https://office365.uservoice.com/forums/264636-general

Many features of current programs have been designed and upgraded based on customers’ feedback.

Best Regards,

Huni

Was this answer helpful?

1 person found this answer helpful.
0 comments

10 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2019-02-08T07:07:19+00:00

    Hi Off2w0rk,

    This is Leo replying and I have taken over this case. Your understanding is correct, if you configure MFA with Conditional Access the MFA will only prompt when it matches your policy criteria, like login request IPs outside the country.

    Regarding the local MFA server part, since our team mainly focus on Office 365 for Business questions (also Azure MFA is part of Office 365 for Business services, hence it belongs to our support boundary), we'd like to recommend you to ask this question in our Azure support forum to get a dedicated help: https://social.msdn.microsoft.com/Forums/azure/en-US/home?forum=windowsazuread

    Your understanding is appreciated. Please feel free to let me know if you still have questions regarding Azure MFA in cloud.

    Regards,

    Leo

    Was this answer helpful?

    0 comments
  2. Anonymous
    2019-02-07T16:49:13+00:00

    Hi Huni and thanks for your time. Our environment is hybrid with ADFS (No MFA Connector or server) and SSO has been enabled. Currently MFA is enabled using conditional access.

    According to this article, there are 3 ways to enable MFA: https://docs.microsoft.com/nb-no/azure/active-directory/authentication/howto-mfa-userst

    Userstate

    Conditional access

    AAD Identity protection

    In Conditional access we can see there is something called Named locations and we can choose regions/countries we trust. Which means if coming from  Ips in that region, no MFA is required? This would help at least triggering MFA when a user logs in from another country.

    Not sure if its a good thing to deploy local MFA server and play with the rules there?

    Was this answer helpful?

    0 comments
  3. Anonymous
    2019-02-07T16:25:37+00:00

    Hi Off2w0rk,

    For your questions, I need to do some research and consult. I'll be back if there're any updates. Meanwhile, I’d like to confirm what your current environment is, pure cloud, on-premises or hybrid.

    Best Regards,

    Huni

    Was this answer helpful?

    0 comments
  4. Anonymous
    2019-02-06T15:45:38+00:00

    Thanks Huni, do you have any official Microsoft documentation regarding those 5 things that causes re-authentication?

    What we are after is what can be done/changed on the MFA setting side of the O365/Azure tenant.

    I can only find the link i provided and another related to conditional access, which doesn't have any option for it. We also want to force re-authentication if the user connects from another IP range (outside country).Is it possible at all using conditional access or is using ADFS the only way?

    Was this answer helpful?

    0 comments