This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 14.000000000000002%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
We have all of our users on Intune joined devices. They're all in the office where the office IPs are whitelisted. They're all applied to the same conditional access policies.
Some users will get no MFA prompts at all while in office. Others who are also in office will get MFA prompts. Some getting them 3 times a day. Entra logs show consistently show "Token Protection - Sign In Session Status" as 1002 when the user gets prompted.
This only happens when using Google Chrome. Any ideas? Let me know if you need more information.
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Any help from:
https://www.michaelvink.com/l/conditionalaccesstokenprotection/
If you are using token protection in a CA policy consider disabling the policy and testing
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection