Can User sign-in frequency promp MFA only?

Nattawut Teerajarukul 216 Reputation points
2021-08-26T05:07:48.667+00:00

I already use Conditional Access via this guide. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
user sign-in frequency is set to 1 hour.
every 1 hour the user is prompt to sign in and MFA again.

But customer need prompt only MFA (bypass password) when session expired.
Can configure sign-in frequency policy for bypass password but prompt MFA only?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,767 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marco Gerber 31 Reputation points
    2021-08-26T20:55:45.217+00:00

    Hi @Nattawut Teerajarukul , according to this docs article this behaviour is by design, therefore a full re-auth is triggered using sign-in frequency: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency-and-multi-factor-authentication

    Maybe you could solve the challenge with Conditonal Access policies which trigger MFA when accessing a certain cloud app or by other conditions.