This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 88%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hi,
We have 3 apps which are doing SAML SSO to our local VPN solution.
We are using local AD and are syncing our users without password to azure with Azure AD connect.
What we wanted to have:
MFA on 'every' VPN connection without type in Username + password (so SSO + MFA)
We solved this with one conditional access rule for the specified vpn apps. Just a rule for all users, on the apps with grant access only with required mfa. But users were able to select "Keep me signed in" on adfs login screen and have seamless SSO for days with "MFA requirement satisfied by claim in the token". That's not what we wanted. So I set "sign-in frequency" in conditional access to 1 hour. And it worked like expected. The users connect with MFA and can reconnect 1 hour without MFA. SSO was provided by IE and active directoy domain user.
Yesterday a user told us, that he has to type in his domain users password after closing the connection and reconnect. And it's reproducible. Since yesterday the SSO is broken when you try to run vpn after closing the connection. This is correlating to the "sign-in frequency" setting. Without it, SSO will work without a problem. So enable "sign-in frequency" will break the SSO.
First question: is it correct to implement the requirement of enforced MFA for one app with Conditional access and "sign-in frequency"? I did not find any other way to specify login rules for a single app. Sure I can suppress the "keep me signed in" on adfs, but it will be suppressed in general and not just for the vpn apps.
Second question: is there way to find out that MS changes behavior on "sign-in frequency" setting? I had no email regarding this.
Best,
Robin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 19%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Is here any possibility to force MFA with time limit in azure for some apps?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
So you are not enforcing MFA universally for each app?
The persistent browser session control works only if you select all cloud apps if you try to exclude an application you will get an invalid session control error. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session
Not sure what you mean be changing behavior. Can you clarify? The full feature is covered here.
So you are not enforcing MFA universally for each app?
Exactly.
The persistent browser session control works only if you select all cloud apps if you try to exclude an application you will get an invalid session control error. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session
Not sure what you mean be changing behavior. Can you clarify? The full feature is covered here.
But this worked great for weeks. We had no problem with interrupted SSO and the 1h timeout worked great. After reconnect at 55min, you had seamless SSO. After 65min, you have SSO but you needed to do MFA. That was brilliant.
How can I set it up with azure?