I'm currently using Entra SAML to log into a specific application and I've set up a conditional access policy that requires MFA for each login. The issue is, my users aren't being prompted for MFA like I want them to be. The logs indicate that the 'MFA requirement is satisfied by claim in the token,' which isn't what I intended since token theft is a concern. I prefer to have actual MFA verification at every login, which means users must authenticate with the Microsoft Authenticator each time. I've attempted to implement session controls to mandate a new sign-in when an event requires authentication strength (I've only set it to password + authenticator push notification), but some clients and users are still authenticating via token issuance. Does anyone have suggestions on how to achieve true MFA for every login?
3 Answers
The sign-in frequency feature mainly applies to apps using OAuth, and strict compliance to the specs is required where users get redirected back to Entra for authentication quite frequently. Not all SAML applications support this feature. However, Entra can recognize the ForceAuthN flag from the SAML end. Check if your application supports it and include it with each authentication request to ensure users have to re-authenticate each time.
You might want to reconsider this approach. Requiring MFA for every login can lead to user fatigue and could actually decrease security instead of enhancing it. It's often better to set limits on session token lifespan and enforce compliant device use instead.
Consider adopting passkeys and more modern authentication methods. But keep in mind that just pushing for MFA won't necessarily make things more secure. Users might just end up typing their code or hitting 'approve' without thinking.
Thanks for the tip! I'll definitely check that out.