MFA prompts for individual apps
Question
Wednesday, June 13, 2018 9:26 PM
Hello,
We are experiencing issues where we are getting prompts for individual apps during login, i.e. Outlook and ODfB.
We have AzureMFA in Cloud and Conditional Access rules.
Should the token be transparent (one token for multiple services) or should each app would "ask" for unique individual token?
Thank you
All replies (13)
Thursday, June 14, 2018 5:55 AM
In order to avoid multiple MFA prompt, you may remember Multi-Factor Authentication for trusted devices. Users can bypass subsequent verifications for a specified number of days, after they've successfully signed-in to a device by using Multi-Factor Authentication. Refer: Configure Azure Multi-Factor Authentication settings
If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here
Thursday, June 14, 2018 6:42 AM
Hello Ajay,
Thank you for reply.
We are trying to avoid this setting as it potentially could cause security issues if users access and trust "Greandma's PC"
Our problem is not the frequency of prompts, it is getting prompted for individual apps upon access. This is an example;
I have a O365 Cloud account with User/Global MFA level set as "Disabled". I have two CA rules, one targeting EXO and one targeting ODfB, requiring for MFA from external/not trusted network. I am getting MFA prompts for each application upon access. My understanding is that MFA/second-factor token should be shared/passed between services and till I authenticate for one app, I should not need to authenticate for second if tokens are not expired.
Thank you, Audrius
Thursday, June 14, 2018 10:50 AM
depends
if there are browser sessions they share the session cookie (for the same browser process) but different apps have different tokens as far as I know (I think I read somewhere that they were trying to make this more streamlined and reuse credential tokens)
Thursday, June 14, 2018 4:22 PM
Both are thick clients so should be using the same experience?
This is what I am trying to figure out as different people at Microsoft told me completely opposite things - some said that tokens are unique per app and some said that they shared (excluding TEAMS, as that use different authentication mechanism)
Anyone else seeing similar behavior?
Friday, June 15, 2018 10:33 AM
Each client app would need to have its own authorization token. Hence for the first time each app is being configured, it would run present the MFA challenge without which authorization token won’t be issued. Once the token is issued, subsequently client app would not request for MFA until the credentials are changed (change of password).
However, in the case of browser sessions once the authorization token is issued after MFA challenge it would not ask for second factor authentication again until the complete browser session(s).
If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here
Tuesday, June 19, 2018 10:18 AM
Just checking in if you have had a chance to see the previous response. If that answers your query, do click “Mark as Answer” and Up-Vote for the same. If you have any further query then do let us know.
Tuesday, June 19, 2018 1:18 PM | 1 vote
Hello,
Unfortunately this is not behavior we get.
We are asked to MFA to each application individually and on some occasions, even 2-3 for one application - Outlook. This is regardless if we are using User Level MFA (Global) or MFA based on Conditional Access and if all apps start at the same time (boot) or 5 minutes in between.
Any ideas what to look for in such scenarios?
Friday, June 22, 2018 11:45 PM
Hello,
Please note that when MFA has been completed, the MFA claim is added to the refresh token. Any apps that are accessed that require MFA at that point should no longer prompt for MFA because it has already been completed. However, if they you using Windows 10 and they are being prompted for credentials repeatedly (not just MFA), you may need to install an update to address the issue. Here are a couple of examples:
https://support.microsoft.com/en-us/help/4093117/windows-10-update-kb4093117
https://support.microsoft.com/en-us/help/4058258/windows-10-update-kb4058258
Note that one of the issues addressed in these updates is:
“Addresses an issue that causes Microsoft and Azure Active Directory accounts to receive the password prompt repeatedly instead of only once.”
Please try this out and let us know if you still face an issue. Thanks.
Monday, June 25, 2018 11:06 AM
@AudrPuik, I hope the previous response was helpful. Please share your experience by marking the post as answer that actually answered your query/was helpful. We would be glad to help you further if you've more questions in this regard.
Thursday, October 11, 2018 12:24 PM
We have the exact same problem. If a user logs in from home, they get an MFA prompt for Outlook, Skype for Business, OneDrive for Business, Teams, and any other apps they might have installed. I do have the trusted device setting set to 7 days, but it is still an annoyance and without a shared token I don't see a way that this can be resolved.
Have you found any kind of resolution or workaround to make this less impactful to your users?
Andrew Schwalbe
Friday, January 11, 2019 11:36 AM
Has anyone found a solution for this, we experience the same scenario.
When outside a trusted network every 7 days users are prompted to enter MFA auth code, issue is when you log into Windows (10) all your apps start up and users are prompted for an auth code for each app; OneDrive, Skype, Teams, Outlook.
This causes confusion and a negative user experience with MFA.
Monday, January 14, 2019 11:25 PM
What does it say for these users in aka.ms/mfasetup?
Friday, January 18, 2019 3:23 PM
Has anyone found a solution for this, we experience the same scenario.
When outside a trusted network every 7 days users are prompted to enter MFA auth code, issue is when you log into Windows (10) all your apps start up and users are prompted for an auth code for each app; OneDrive, Skype, Teams, Outlook.
This causes confusion and a negative user experience with MFA.
This is not a Microsoft MFA issue, but a per-application issue. You should not be seeing users have to re-authenticate in their apps if they regularly access their programs during the week. If your inactivity timeout is set to 14 days, then consider adjusting it to the new 90 day default.