Share via

MFA Prompts Hybrid Setup

DH-015924 0 Reputation points
2024-11-22T02:41:30.1766667+00:00

MFA Prompts Hybrid Setup

We've recently rolled out MFA across our organisation, and I'm trying to understand how we can implement this without friction.

We currently have a hybrid Entra AD setup with Microsoft Entra Connect installed on a DC, and currently users are being prompted for MFA in the Edge work profile, as well as the M365 desktop applications (Outlook, Teams, Word, PowerPoint, etc.) once a day.

This is in addition to our VPN that prompts for both password and MFA.

We're getting feedback that people are getting multiple prompts a day, so I'm trying to wrangle that.

I'd like to rejig it so that you're not prompted for sign in on Edge profile sync every 7 days (to keep your profile synced), but still required to prompt for sign in when accessing bookmarks that require authentication (SharePoint or any of the web services) every 24 hours.

However, I want VPN sign in to prompt only for MFA, not password every 24 hours and if successful, the rules above apply as if user is in office. Is this something that can be achieved with just Entra, or do I need to involve Intune?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,274 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,388 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Goutam Pratti 745 Reputation points Microsoft Vendor
    2024-11-25T09:51:28.7166667+00:00

    Hello @DH-015924 ,

    Thank you for reaching out Microsoft Q&A.

    I understand that you're getting feedback that people are getting multiple prompts a day instead of once in a day for your M365 applications.

    Please note that you can achieve your requirement using conditional access policies.

    Sign in to Microsoft Entra Admin Center>Go to Microsoft Entra Id>Security>Protect>Conditional Access Create a new policy>Select the users you need In Target Resources Include the Office 365 and select Grant>Grant Access>Require multifactor Authentication Go to Session>Sign-in frequency>periodic authentication (1 day) Then select Enable policy>On
    User's image

    User's image

    User's image

    It is not possible to configure VPN sign-in to prompt only for MFA every 24 hours using Conditional Access policy, because enabling a sign-in frequency of 24 hours will revoke both password and MFA sessions, requiring the user to reauthenticate with both credentials.

    Note: It is not possible from Microsoft Entra ID side to create a policy to sync the edge profile alone using conditional access policies.

    for additional information follow: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Regards,
    Goutam Pratti.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.