We have domain-joined (i.e. hybrid Azure AD joined) W10 devices, sign-in using WHfB, check SSO state using dsregcmd /status and AzureADPrt: YES
There is a CA policy applied to a select group of users and:-
All cloud apps
All client apps (browser, mobile & desktop clients, EAS clients, other clients)
Grant access: Require MFA
Sign-in frequency: 1 day
Persistent browser session: always
Using M365 Apps for Enterprise, and the problem is that various individual apps prompt for MFA and password at the start of the session (i.e. OneDrive, Teams, Outlook)
Shouldn't the M365 apps share the PRT token (inc. the MFA claim) following the WHfB sign-in?
We would like to see a single/universal MFA challenge
SSO works OK when users are outside the scope of this CA policy
Does anybody have this working properly?