Conditional Access Sign-in frequency Multiple MFA prompts

azrider 26 Reputation points

Hello -

We have domain-joined (i.e. hybrid Azure AD joined) W10 devices, sign-in using WHfB, check SSO state using dsregcmd /status and AzureADPrt: YES

There is a CA policy applied to a select group of users and:-

  • All cloud apps
  • All client apps (browser, mobile & desktop clients, EAS clients, other clients)
  • Grant access: Require MFA
  • Sign-in frequency: 1 day
  • Persistent browser session: always

Using M365 Apps for Enterprise, and the problem is that various individual apps prompt for MFA and password at the start of the session (i.e. OneDrive, Teams, Outlook)

Shouldn't the M365 apps share the PRT token (inc. the MFA claim) following the WHfB sign-in?

We would like to see a single/universal MFA challenge

SSO works OK when users are outside the scope of this CA policy

Does anybody have this working properly?

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,495 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Crossley, Erik G 5 Reputation points

    I know this post is several years old but was curious if anyone had any further updates.

    We're experiencing the same behavior with a 7 day session control for Hybrid Joined devices & mobile devices. And the behavior of MFA prompts on Windows, iOS & Android are all over the place.

    Some receive a separate prompt from various M365 apps on Windows after the session control expires. Similar experience on mobile, but its not consistent for everyone.

    For example, my Android device is super consistent & seamless. I'm prompted to sign in (first factor + second factor) after opening a M365 app, & any M365 app I open after seems to share that token & not prompt me. Others on Android & iOS don't have this experience & are prompted per app.

    On Windows, I'm prompted periodically for random apps throughout the 7 day period. At this point I can't even tell when my 7 day period is on WIndows.

    1 person found this answer helpful.
    0 comments No comments

  2. Jai Verma 461 Reputation points

    We are using this policy and we did extensive testing before deploying in our environment. Here are my experience and understanding

    • We have to satisfy MFA once for Office applications(which one user click first) and rest office applications do not prompt for MFA.
    • However, non office applications, which do not use PRT, still prompt for MFA.
    • It works very different for mobile devices, every application on mobile prompt for MFA and we decided to exclude MFA policy for Mobile as it was very annoying.

    So, the symptoms you described, on your HAADJ device, is unexpected.

    0 comments No comments