Conditional Access Sign-in frequency Multiple MFA prompts

azrider 21 Reputation points
2021-09-28T21:52:38.993+00:00

Hello -

We have domain-joined (i.e. hybrid Azure AD joined) W10 devices, sign-in using WHfB, check SSO state using dsregcmd /status and AzureADPrt: YES

There is a CA policy applied to a select group of users and:-

  • All cloud apps
  • All client apps (browser, mobile & desktop clients, EAS clients, other clients)
  • Grant access: Require MFA
  • Sign-in frequency: 1 day
  • Persistent browser session: always

Using M365 Apps for Enterprise, and the problem is that various individual apps prompt for MFA and password at the start of the session (i.e. OneDrive, Teams, Outlook)

Shouldn't the M365 apps share the PRT token (inc. the MFA claim) following the WHfB sign-in?

We would like to see a single/universal MFA challenge

SSO works OK when users are outside the scope of this CA policy

Does anybody have this working properly?

Thank you

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,899 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jai Verma 451 Reputation points
    2021-09-29T08:07:18.027+00:00

    We are using this policy and we did extensive testing before deploying in our environment. Here are my experience and understanding

    • We have to satisfy MFA once for Office applications(which one user click first) and rest office applications do not prompt for MFA.
    • However, non office applications, which do not use PRT, still prompt for MFA.
    • It works very different for mobile devices, every application on mobile prompt for MFA and we decided to exclude MFA policy for Mobile as it was very annoying.

    So, the symptoms you described, on your HAADJ device, is unexpected.

    0 comments