question

MSHPR-6596 avatar image
0 Votes"
MSHPR-6596 asked MarileeTurscak-MSFT commented

User sign-in frequency after PW change

I wonder about the behavior of Conditional Access Policy with user sign-in frequency = 1 day after the user changed his password

Test Scenario:

  • User changes his PW on the ON-Premises AD

  • The PC is restarted

  • New session to Azure Portal is started in the browser which was used before

  • User name is requested

  • Due the ADFS the PW request is forwarded to ADFS server

  • User add the PW

  • No MFA is requested after because the sign-in frequency has not been expired.

Is this normal behavior?
According to Microsoft document https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
It might sound alarming to not ask for a user to sign back in, in reality any violation of IT policies will revoke the session. Some examples include (but are not limited to) a password change, an incompliant device, or account disable.

The expectation here is to enter the MFA as password change should violate policy.
Is the assumption wrong?

Any help or insight would be most appreciated.
Thank You

azure-ad-conditional-access
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just so I understand - you are saying that you set a conditional access policy that requires a sign-in one day after the user changes his password, but you want the user to also be prompted for MFA after the password change? And you were able to test this and confirm that the user was not prompted for MFA after the password change?

If the users are using Windows Hello For Business, that will qualify as satisfying the MFA prompt. Also, if they are using Windows Virtual Desktop there needs to be an MFA policy applied directly to Windows Virtual Desktop users under Enterprise Applications > Windows Virtual Desktop client.

I have heard one other report of this behavior when neither of those scenarios applied, and if that is the case for you I will raise this concern with the product group. I believe they were working on this issue but am not sure if it got fixed.

0 Votes 0 ·

0 Answers