Share via

MFA being constantly asked

Anonymous
2020-10-29T10:34:05+00:00

Hello all,

This is an interesting one for you. I have a company who use multiple domains within Azure and Office 365. They have their passwords to expire every 90 days and use MFA. MFA is set to expire every day. They have multiple shared mailboxes but only use one log in for Windows 10. Depending on each department the users used different domains so you ID the user on their domain they used.

As part of their marketing campain, they decided to uniform all of their users to one single domain to simplify it. Some users were already on this domain, so it wasn't a new one that was set up. All users not on this domain were moved over in one go (not recommended). 

Since the domain change, most users are now getting multiple MFA requests rather than the one. Some users are getting the request each time they open a SharePoint document such as Excel or Word. They also get requests when logging in to each app such as Word, Outlook, Excel etc. Some users are only getting 3 requests but then they're asked to signed in throughout the day. 

We've removed the credentials from the local laptop. Cleared the browser history. Removed the user from the laptop and added back in. Gone to the Registary and removed the Indentity from the location

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity

Removed MFA, signed out the users and that hasn't worked either. Microsoft are also at current at a loss. We're sure that the domain change caused it and we can't be the only one to do this. Any thoughts please, its been an issue for 2months now.

Many thanks

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-11-03T20:59:40+00:00

    Hi Linda,

    Thats correct, each user has the same sign in address as their display address and we have seen this fist hand.

    Thank you for the advice on how to change the domain, we will make sure that this is done correctly should the need arise again. 

    All other users had 7 MFA requests today for office apps and opening SharePoint files. This is obviously getting critical; they simply cannot continue to function like this as its been ongoing for months now and no one seems to know what to do to correct it. 

    We can certainly disable mfa for that one user but I dont see how that helps us with the underlying problem?

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2020-11-02T11:45:35+00:00

    Hi,

    No changes were made since my last communication. However, one user was having severe issues with MFA again. Every Office app and document within SharePoint was asking for MFA sign in. 

    From tomorrow, the 7 days are up so we are expecting a large response from them again. 

    Is there anything at all you can suggest here?

    Was this answer helpful?

    0 comments
  3. Anonymous
    2020-10-31T09:15:51+00:00

    Hi Mick,

    How things go after changing the setting.

    Thanks,

    Linda

    Was this answer helpful?

    0 comments
  4. Anonymous
    2020-10-30T10:51:00+00:00

    Hi Linda,

    Thanks for replying.

    Users were moved by changing their display name. Org is not setup with conditional access no, they do not have P1 or P2 licenses.

    The refresh token is set to 90 days currently and please see the service settings below. You'll notice it's currently set to 7days; we're testing this to see whether this makes a difference as the organisation would like it to be set for 1 day which it was until early this week.

    Was this answer helpful?

    0 comments
  5. Anonymous
    2020-10-29T14:48:33+00:00

    Hi Mick,

    Greetings.

    I would like to know how did you move these users who not on this domain? By adding new accounts in the domain and deleting the old accounts, or by changing the users’ display name?

    For further checking, please share a screenshot of your org MFA service settings. Go to Microsoft 365 admin center > Active users > click ‘Multi-factor authentication’ > service settings.

    And may I know if your org set up conditional access on trusted devices, locations, or low-risk sessions?

    Besides, Multi-Factor Session Token Max Age policy controls how long a user can use a session token to get a new ID and session token after the last time they authenticated successfully by using multiple factors. I suggest you run PowerShell cmdlet to check the token lifetime. Reference for you: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#configurable-token-lifetime-properties-after-the-retirement

    Thanks,

    Linda

    Was this answer helpful?

    0 comments