question

Rafik-5035 avatar image
0 Votes"
Rafik-5035 asked sikumars commented

Users Getting MFA Prompts in the middle of Teams meeting

Hi,

We have configured MFA authentication for users with conditionnal Access (See image). All users have hardware token as a second factor, another users like administrator use Micorost authenticator.

The issue is for 50% of users do't like to be prompt many times a day for all apps or browsers.

The main issue is for some users. They report that they be prompts to enter code when thhey were in meeting. it's weird experience when they are with clients or an important meeting.

We have configured for non admin users a Sign In Frequency for 1 day and persistent browser session (see image). Its supose to prompt every 24 hours. why they be prompt MFA in Teams meeting, for exemple at 11 am?is there a way to keep them from being prompted in the middle of a day. plz, Imagesee my config.142221-capsession.png

142625-capsession.png


azure-ad-conditional-access
capsession.png (18.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Rafik-5035,

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

Thank you for your reply.
We still have this problem. Users report to us that the MFA prompt arrives in the middle of their meeting and randomly.
Can we configure in CA that the MFA Prompt just when we start a session?

0 Votes 0 ·

You can only specify session related setting that are mentioned here but best way to avoid these kind of issues by leveraging Azure AD joined devices along with seamless SSO so that when ever authentication required then user would experience Single and factor authentication seamlessly.

However, I would recommend to you reach out to MS support to figure out actual cause for this issue. Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered

Hello @Rafik-5035,

Thanks for reaching out and apologies for any inconvenience caused by this issue.

Here are my thoughts on this scenario:

If there are more than one CA policy applied for same set of application due to which MFA might have repeated which resulted multiple time MFA for user. Example: the current implementation has Teams requiring MFA within 1 days and when a user launches Teams they are prompted. While inside of Teams, another MS service is called (sharepoint for example) and another conditional access policy will prompt for MFA for SharePoint.

This continues for each accessed MS application and conditional access policy that is configured. This article has more info on service dependencies to help identify which apps will need to be included on your conditional access policy: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/service-dependencies

Secondly, if the token is getting invalidated by application lets say MS Teams inactivated token due to some reason then user may asked redo authentication including second factor authentication based on CA condition but getting MFA prompts in the middle of Teams meeting which seems to be problematic.

Therefore, this would require active troubleshooting to identity actual cause for the issue hence I would recommend to you reach out to MS support who can help you. In case if you don't have support plan then I can help you with One-Time free support.

Hope this helps.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.