question

JimStubbings-2380 avatar image
0 Votes"
JimStubbings-2380 asked JaiVerma-7010 edited

Conditional Access Sign-in frequency Multiple MFA prompts

Hello -

We have domain-joined (i.e. hybrid Azure AD joined) W10 devices, sign-in using WHfB, check SSO state using dsregcmd /status and AzureADPrt: YES

There is a CA policy applied to a select group of users and:-

  • All cloud apps

  • All client apps (browser, mobile & desktop clients, EAS clients, other clients)

  • Grant access: Require MFA

  • Sign-in frequency: 1 day

  • Persistent browser session: always

Using M365 Apps for Enterprise, and the problem is that various individual apps prompt for MFA and password at the start of the session (i.e. OneDrive, Teams, Outlook)

Shouldn't the M365 apps share the PRT token (inc. the MFA claim) following the WHfB sign-in?

We would like to see a single/universal MFA challenge

SSO works OK when users are outside the scope of this CA policy

Does anybody have this working properly?

Thank you

azure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered JaiVerma-7010 edited

We are using this policy and we did extensive testing before deploying in our environment. Here are my experience and understanding

  • We have to satisfy MFA once for Office applications(which one user click first) and rest office applications do not prompt for MFA.

  • However, non office applications, which do not use PRT, still prompt for MFA.

  • It works very different for mobile devices, every application on mobile prompt for MFA and we decided to exclude MFA policy for Mobile as it was very annoying.

So, the symptoms you described, on your HAADJ device, is unexpected.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.