Conditional Access Sign in frequency seems to be ignored

Question

I am trying to setup two conditional access policies that set sign in frequency for the bulk of our users to be a value of X while for select app(s) to have a sign in frequency of Y. Prior to last week we had the sign in frequency window set in apparently two places. It was set in the conditional access policy and also was under Security/MFA/Additional cloud-based MFA settings. This later location seems to be a global setting, and when I removed that setting the don't ask again X period of time during the MFA login went away and user where having to MFA upon every login. The "Show option to remain signed in" is set to No under Company Branding within Azure AD as I have seen some documentation referring to that needing to be turned off or suggesting it should be turned off. Under the conditional access policy I have All cloud apps set and under session I have Sign in frequency set yet when a user logs into an azure SSO enabled app they are not prompted to "do not ask again" for X period instead they are required to MFA on every session. I have also tried to set the Persistent browser session option to both always and never and neither seem to cause the do not ask again check box to come up when prompted for MFA for the specified period of time as set in the conditional access policy. When looking at a users sign in log I see the sign in session and when looking at the conditional access tab I see where that particular policy is being applied. I do not see anything that might be keeping the do not ask again for X period from coming up.

Answer 1

The "remember Multi-Factor Authentication" feature is not compatible with B2B users and will not be visible for B2B users when signing into the invited tenants, and it also isn't compatible with the "keep me signed in" feature of AD FS.

Is it possible that the users are switching browsers or clearing cookies? When a user selects the "Don't ask again for X days" option at sign-in the "remember Multi-Factor Authentication" feature sets a persistent cookie on the browser. The user isn't prompted again for Multi-Factor Authentication from that same browser until the cookie expires. But if the user opens a different browser on the same device or clears their cookies, they're prompted again to verify.

The feature can increase the number of authentications for modern authentication clients that normally prompt every 90 days. The feature also doesn't work on non-browser applications, regardless of whether the app supports modern authentication. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

Also, which browser are they using? There is a known issue with the Internet Explorer browser can that can cause the prompt to not appear.

Let me know if any of these scenarios apply to you.

Answer 2

Thank you for your response. If I uncheck the "remember multifactor authentication on trusted device" under Security/MFA/Other Cloud MFA settings the check box for do not ask again will vanish. We have used SSO with MFA for up to a year now in testing with the IT department staff and went wide scale on it last month. During all this testing the Other Cloud MFA settings where checked and things worked as one would expect.

Two weeks ago I unchecked this box as I was not able to setup a second conditional access policy for a specific app and a specific set of users to have a more stringent do not ask date policy (sign-in frequency). The new sign in frequency was not being enforced. That is why I removed the check box under other cloud MFA settings and once I did that the do not ask checkbox went away.

It is not just not showing the check box the sign-in frequency setting is being ignored as we have our normal policy set to 14 days for everyone and 1 day for the IT center. When the other cloud MFA settings is not checked it does not remember period. I have personally opened a browser logged into one of the cloud apps and am prompted for MFA with no do not ask box. I satisfy that MFA prompt and then close the browser launch the same browser and login and once again am prompted for MFA with out the do not ask box. The browser is not set to clear cookies when quitting and the behavior instantly goes back to what is expected when the other cloud MFA settings is enabled. The do not ask box reappears and if checked the browser will not ask for the specified period of time.