question

Ruben-7465 avatar image
0 Votes"
Ruben-7465 asked azure-cxp-api edited

Will IP changes trigger reauthentication for Microsoft Conditional Access MFA?

I am currently implementing Azure Conditional Access for a large group of users. Everything looks good, but we are getting complaints that people need to reauthenticate to often. We have configured the "Rememeber MFA" checkbox for 30 days. I would expect that if somebody logs in on device X with this checkbox checked, they would not have to provide a MFA token for the next 30 days; independent of their IP. But it seems that people get MFA challenges when switching a lot from IPs.

Is this correct behaviour? And what is the trigger for requesting a new MFA token? Also, suggestions to "fix" this behaviour?

azure-active-directoryazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@Ruben-7465
Yes, change in network triggers MFA even if the user selected to remember it for X number of days . The only option to avoid triggering MFA is by configuring Trusted locations.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered SaurabhSharma-msft commented

If you have configured to use a conditional access with the Location Condition with Any location then it will cause the policy to applied to all IP addresses. Also, changing a location would be detected within an hour of changing the network location for the applications using the modern authentication. Ideally, it is recommended to keep the MFA enabled on location change to block access from untrusted networks and by non legitimate users.
You can exclude specific locations from a policy by defining trusted locations or defining MFA trusted IPs. Please refer to the documentation -

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dear Sashar,

That is clear. However, I can't find this anywhere in the documentation.

Let's assume that we don't use trusted locations. So the person logs in on network A with his phone and checks the remember MFA option. He drives for two hours to another location and goes on the network there. Does he get prompted for MFA on this same device? I would expect not, and I cannot find any documentation regarding this, but if I read your story correctly, after one hour he does need to do the MFA challenge again?

0 Votes 0 ·

yes the user will be prompted for MFA due to network change.

0 Votes 0 ·