Uncheck by default the "Don't ask again for X days"

Tomass Pētersons 336 Reputation points
2022-05-06T13:18:50.917+00:00

Hi,

I have access to two tenants. Both tenants use old per-user MFA.

When logging in to tenant, where "Don't ask again for X days" is set to 30 days, the checkbox is not checked by default, i.e. if I want MFA not to be requested next time, I have to check this box manually.
199588-nocheckbox.png

At the same time, the second tenant has this option set to 90 days. When I log in to this tenant, the checkbox is checked by default. If I want MFA to be requested next time, I have to uncheck this box manually.
199597-yescheckbox.png

Nowhere in the first tenant is it specifically configured to uncheck this checkbox by default. So I wanted to find out how this is possible? Is it even possible to configure this checkbox so it would be unchecked by default i.e. users sould have to check it manually if they do not want MFA to be required next time they log in? This documentation does not say anything about it - howto-mfa-mfasettings

Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2022-05-06T21:03:52.857+00:00

    Hi @Tomass Pētersons ,

    This option is only configurable on the user side, so there is no way to uncheck the default "Don't ask again for X days."

    You mention that the checkmark is selected by default in one tenant and not the other. This may happen if the user from one tenant signed in without selecting it the first time, or it could be that one of the known limitations listed here is affecting the setting. For example, if you are using the setting alongside with a Conditional Access Sign-in Frequency policy, there can be conflicts between the "remember" my device" settings and the sign-in frequency policy behavior. If those situations do not apply to you, I'm not sure why it is happening in your case so I also reached out to the product team to see if there is any reason why the checkboxes might be selected sometimes and not others (other than the limitations mentioned).

    As documented under Mark a Device as Trusted, when you enable the "remember Multi-Factor Authentication feature", users can mark a device as trusted when they sign in by selecting the option for "Don't ask again."

    This option is not configurable in the MFA service settings or MFA user settings because the user defines for the first time if they are using a trusted device.

    The best way to customize this experience is to use Conditional Access, or to disable the "remember multi-factor authentication" setting entirely.

    Adding a configurable checkbox setting has been a fairly common feature request though, so I have passed this feedback along to the product team. I have also checked with them why the checkbox might be selected sometimes and not others if it hasn't been pre-configured, and whether it can happen for a reason other than the limitations mentioned. I will let you know as soon as I have a response.

    Marilee

    -

    If the information provided was useful to you, please consider marking as answer so that others in the community with similar questions can more easily find a solution.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2022-05-06T21:41:20.097+00:00

    To add to my previous answer, I would recommend trying a different browser to see if you get the same results with the users, and also verify if this happens to all admin users vs regular users.

    The product team also confirmed my understanding that there isn't a setting for this, and the checkbox is likely a browser cache issue rather than something configured in the Azure AD settings.

    0 comments