Can you set the MFA prompt to a specific time (in conditional access)?

Margot 21 Reputation points
2022-01-11T14:25:58.92+00:00

In our company we have a conditional access policy requiring users to login with MFA every 24 hours. We turned off the option to remember the login.

Sometimes a user gets prompted in the middle of their work as the prompt doesn't appear exactly after 24 hours. It also means that if a user logs in in the afternoon, the prompt will appear in the afternoon everytime, and this can be annoying as the next day they might have started earlier.

Is there a way to set the prompt to a specific time, say every morning at 8 o clock?

Or is there an option to get the MFA prompt every time they log in, no matter the time?

We would like to keep the MFA to appear everyday and not remember logins.

Many thanks in advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2022-01-11T16:09:08.983+00:00

    Hi @Margot • Thank you for reaching out. Please find my comments inline.

    Is there a way to set the prompt to a specific time, say every morning at 8 o clock?
    No, there is no such setting available as of now.

    Or is there an option to get the MFA prompt every time they log in, no matter the time?
    Yes, you can configure this by performing the below steps:

    1. Sign in to Azure portal using Global Administrator account.
    2. Navigate to Azure Active Directory > Users > Click on Per-user MFA link
    3. In the Multi-factor Authentication portal, click on service settings and uncheck "Allow users to remember multi-factor authentication on devices they trust" checkbox, as highlighted below:
      163919-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mr Sbaa 356 Reputation points
    2022-01-11T19:56:59.027+00:00

    I am not sure what you configured now in your conditional access policy but this can be basically achieved with user sign-in frequency. If you set this at 10 hours for example, the user's session will stay active untill the specified timeperiodhas been reached.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

    There is no option to set this on a specific time but you should be fine by using this settingalone. I have the same configured and users will not get prompted during the day since most work 8 hours.