Users being logged out once MFA enabled

CHFL-9529 1 Reputation point

After enabling MFA on users accounts and applying conditional access policy we identified some users experiencing the following issues

  1. When reviewing email on the Outlook App on IOS they view a pop up about a new message but then the email does not appear in app until they log back in again
  2. Also IOS users getting prompted multiple times a day for MFA when the conditional policy is once a day

Are there any correlations to the frequency of login requirements to the conditional access policy?

just curious if others experienced these issues and how they resolved them

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,862 questions
{count} votes

3 answers

Sort by: Most helpful
  1. CHFL-9529 1 Reputation point


    We changed sign in frequency to 7 days. Initially it was every day. When it was every day users complained they were having issues many times a day being prompted and then not seeing apps in their mobile Outlook app. Images of the settings added.


    0 comments No comments

  2. risolis 8,701 Reputation points

    Hello @CHFL-9529

    I just wanted to add a few details on this one.

    -The following settings, such as Remember MFA and Remain signed-in, can result in prompts for your users to authenticate too often.

    • Keep the Remain signed-in option enabled and guide your users to accept it.

    -A user might see multiple MFA prompts on a device that doesn't have an identity in Azure AD. Multiple prompts result when each application has its own OAuth Refresh Token that isn't shared with other client apps

    -You can try to click the option "Revoke sessions" and test it

    -Use the "Trusted devices" option


    0 comments No comments

  3. CHFL-9529 1 Reputation point

    Thank you all so much
    We do have the option "Show option to remain signed in" enabled but we can encourage users to check it.
    Will have a look at the other suggestions "application has its own OAuth Refresh Token that isn't shared with other client apps" and "conditional access policy settings"

    0 comments No comments