I am currently implementing Azure Conditional Access for a large group of users. Everything looks good, but we are getting complaints that people need to reauthenticate to often. We have configured the "Rememeber MFA" checkbox for 30 days. I would expect that if somebody logs in on device X with this checkbox checked, they would not have to provide a MFA token for the next 30 days; independent of their IP. But it seems that people get MFA challenges when switching a lot from IPs.
Is this correct behaviour? And what is the trigger for requesting a new MFA token? Also, suggestions to "fix" this behaviour?