question

CiaranMurphy-0763 avatar image
0 Votes"
CiaranMurphy-0763 asked MarileeTurscak-MSFT answered

MFA skip for 14 days not working for ios and android enrollment

Hi Folks,

When a new person starts with our company we allow them to skip MFA configuration for up to 14 days. this works great on w10 computers or for azure portals. But we are finding that the skip for 14 days option doesn't work when they are trying to set up their new android or iOS devices using autoenrollment.

Our iOS devices are auto enrolled through Apple business manager and a setup assistant profile in Intune. For android they are auto enrolled through Knox and enrolled as android enterprise devices.

The problem is when the brand new user starts up their brand new phone with a brand new phone number when they get to the Azure sign in screen on the phone it doesn't allow them to 'skip for 14 days'. The option to skip is on the screen but tapping on it does nothing. Therefore there is no way for them to proceed with signing into the device and they are stuck.

Is this known behavior or is there a way to fix this in configuration?

Regards

Ciaran

mem-intune-enrollmentazure-ad-multi-factor-authentication
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image MarileeTurscak-MSFT ·

Hi Ciaran,

Could you please share a screenshot of what happens? You mention that they see the option to "Skip for 14 days", but they aren't able to click on it. Would you be able to use Fiddler to capture the request in the browser when this happens?

If MFA is set to "Enforced" for any of these users, there will not be an option to skip, but it doesn't seem like this is the case since they are receiving the option.

I have reached out to the product team to check if this is a known issue and if there is any solution. In the meantime, any logs or screenshots you provide will help me to better troubleshoot.

Thanks,

Marilee

0 Votes 0 ·

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @CiaranMurphy-0763.,


To add to the previous answer, I wanted to confirm - are you seeing this for an app in the device using an embedded browser for authentication, or is this experience occurring in the device's browser? If this not occurring on a browser, this is expected behavior and they will need to use the browser to resolve this.

From our documentation:

Browser experience
The Don't ask again for X day option will only show on browser applications. When the user signs in they must complete primary authentication and the multi-factor authentication prompt. Once complete they will get prompted to choose to don't ask again and a persistent cookie will be set on the browser they are using. They will not get prompted for any other browser applications until that time cookie expires or is cleared.

Modern Authentication clients
The Don't ask again for x days option will not be shown on non-browser applications, regardless of whether the app supports modern auth or not. These apps use refresh tokens or PRTs. When these tokens are validated, Azure AD will look at the MFA Auth instance stamped on that token and validates if it occurred within the number of days specified for Remember my device. This means that while this can reduce the number of prompts for web applications that prompt every time, it can however, cause rich clients to prompt more often if this is set lower than the default of 90 days.

Known Limitations
Remember my device is not compatible with keep me signed in with ADFS when ADFS is performing MFA via MFA Server or 3rd party MFA solutions. If the user selects to keep me signed in on ADFS and also remember my device then when the remember my device days expire Azure AD will request a fresh MFA prompt, but ADFS will return the token it has and the user will get stuck in a verification loop.
Remember my device is not compatible with B2B users and B2B users will not be prompted as outlined above

This setting does not work well with Conditional Access Sign-in Frequency policy and it's recommended to use one or the other.
The recommendation for customers with Azure AD Premium is to use Conditional Access sign-in frequency and/or persistent browser policies to control the MFA prompt behavior.
If the customer only has Microsoft 365 apps license or Azure AD free then "Remember my device" is the recommendation.

Let me know if this helps.


If this answer helped resolve your question, please remember to mark it as answer so that others in the community can more easily find a solution.







5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.