Is here any possibility to force MFA with time limit in azure for some apps?
Azure Conditional Access: sign-in frequency and SSO
Hi,
We have 3 apps which are doing SAML SSO to our local VPN solution.
We are using local AD and are syncing our users without password to azure with Azure AD connect.
What we wanted to have:
MFA on 'every' VPN connection without type in Username + password (so SSO + MFA)
We solved this with one conditional access rule for the specified vpn apps. Just a rule for all users, on the apps with grant access only with required mfa. But users were able to select "Keep me signed in" on adfs login screen and have seamless SSO for days with "MFA requirement satisfied by claim in the token". That's not what we wanted. So I set "sign-in frequency" in conditional access to 1 hour. And it worked like expected. The users connect with MFA and can reconnect 1 hour without MFA. SSO was provided by IE and active directoy domain user.
Yesterday a user told us, that he has to type in his domain users password after closing the connection and reconnect. And it's reproducible. Since yesterday the SSO is broken when you try to run vpn after closing the connection. This is correlating to the "sign-in frequency" setting. Without it, SSO will work without a problem. So enable "sign-in frequency" will break the SSO.
First question: is it correct to implement the requirement of enforced MFA for one app with Conditional access and "sign-in frequency"? I did not find any other way to specify login rules for a single app. Sure I can suppress the "keep me signed in" on adfs, but it will be suppressed in general and not just for the vpn apps.
Second question: is there way to find out that MS changes behavior on "sign-in frequency" setting? I had no email regarding this.
Best,
Robin
2 answers
Sort by: Most helpful
-
-
Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee
2020-06-12T22:55:15.12+00:00 So you are not enforcing MFA universally for each app?
The persistent browser session control works only if you select all cloud apps if you try to exclude an application you will get an invalid session control error. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session
Not sure what you mean be changing behavior. Can you clarify? The full feature is covered here.