How to use conditional access with a (very) slow internet connection?

Ruben 21 Reputation points
2020-01-13T16:17:15.033+00:00

Hi all,

I am currently encountering a situation where we are rolling out conditional access. This is going well, but we have one group of users that have very slow (satellite) internet. The internet is so slow that users tend to miss the expiration deadline for MFA codes.

I was wondering if there are minimum internet requirements for rolling out conditional access in the docs somewhere?

Also, if we assume that speeding up the internet is not a solution, is it possible to somehow increase the expiration time for a MFA token? Or to allow more than only the current MFA token.
Of course this will decrease security a little bit, but it will give the user more time.

If there are other suggestions to solving this problem, I am also open to it. We are currently also considering Intune for trusted devices and IP ranges. But I would like to hear other perspectives.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,643 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,046 Reputation points Microsoft Employee
    2020-01-13T21:51:40.04+00:00

    Hi Ruben,

    For one-way SMS with Azure MFA in the cloud (including the AD FS adapter or the Network Policy Server extension), you cannot configure the timeout setting. Azure AD stores the verification code for 180 seconds. https://learn.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-faq

    Aside from improving the connection itself, there are some potential solutions I can think of:

    You can set "remember MFA" for trusted devices so that users aren't prompted and don't have to go through this as frequently.

    If you are using Phone MFA you can adjust the timeout by adding a recording. One way to do this as a workaround is to record a message that is 18+ seconds long long and upload it as "Greeting(Standard)." This will push the timeout long enough for it to route through the phone system and have enough time to press # to verify. See instructions here: https://learn.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#custom-voice-messages


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.