I wonder about the behavior of Conditional Access Policy with user sign-in frequency = 1 day after the user changed his password
User changes his PW on the ON-Premises AD
The PC is restarted
New session to Azure Portal is started in the browser which was used before
User name is requested
Due the ADFS the PW request is forwarded to ADFS server
User add the PW
No MFA is requested after because the sign-in frequency has not been expired.
Is this normal behavior?
According to Microsoft document https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
It might sound alarming to not ask for a user to sign back in, in reality any violation of IT policies will revoke the session. Some examples include (but are not limited to) a password change, an incompliant device, or account disable.
The expectation here is to enter the MFA as password change should violate policy.
Is the assumption wrong?
Any help or insight would be most appreciated.