I'm currently using Entra SAML to access an application and have set up a conditional access policy to require multi-factor authentication (MFA) for every single login. However, users aren't getting prompted for MFA as I'd like. The sign-in logs indicate that the 'MFA requirement is satisfied by claim in the token,' which raises concerns about token theft. I want to enforce a proper MFA authentication at every login, meaning users need to use the Microsoft Authenticator each time they log in.
I've also tried implementing session controls to mandate a new sign-in whenever an event requires authentication strengths, which includes using both a password and an authenticator push notification. Despite these efforts, some clients and users are still able to authenticate using token issuance. I'm looking for any advice on how to achieve the desired level of MFA requirement for every login.
3 Answers
If you're set on MFA for each login, consider looking into passkeys and more modern authentication methods. But keep in mind that simply enforcing frequent logins won’t necessarily increase security; users could still just type in their code or hit approve on their authenticator.
Just a heads-up that the sign-in frequency feature only works effectively with apps that are using OAuth. Most SAML applications may not comply with that. However, Entra does support the ForceAuthN flag on the SAML side. Make sure your SAML application can handle that flag and include it in each authentication request—this will force users to reauthenticate every time.
You might want to reconsider requiring MFA for every login. This could lead to MFA fatigue among users—not to mention possible security issues on the back of wanting extra protection. Instead, I recommend focusing on enforcing the lifespan of session tokens and making sure only compliant devices can access that application.
Thanks, I'll definitely check into that!