How to use conditional access with a (very) slow internet connection?

Question

Hi all,

I am currently encountering a situation where we are rolling out conditional access. This is going well, but we have one group of users that have very slow (satellite) internet. The internet is so slow that users tend to miss the expiration deadline for MFA codes.

I was wondering if there are minimum internet requirements for rolling out conditional access in the docs somewhere?

Also, if we assume that speeding up the internet is not a solution, is it possible to somehow increase the expiration time for a MFA token? Or to allow more than only the current MFA token.
Of course this will decrease security a little bit, but it will give the user more time.

If there are other suggestions to solving this problem, I am also open to it. We are currently also considering Intune for trusted devices and IP ranges. But I would like to hear other perspectives.

Answer 1

Hi Ruben,

For one-way SMS with Azure MFA in the cloud (including the AD FS adapter or the Network Policy Server extension), you cannot configure the timeout setting. Azure AD stores the verification code for 180 seconds. https://learn.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-faq

Aside from improving the connection itself, there are some potential solutions I can think of:

You can set "remember MFA" for trusted devices so that users aren't prompted and don't have to go through this as frequently.

If you are using Phone MFA you can adjust the timeout by adding a recording. One way to do this as a workaround is to record a message that is 18+ seconds long long and upload it as "Greeting(Standard)." This will push the timeout long enough for it to route through the phone system and have enough time to press # to verify. See instructions here: https://learn.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#custom-voice-messages