I'm working with Entra using SAML for logging into another application, and I set up a conditional access policy that requires Multi-Factor Authentication (MFA) for every login. However, users aren't being asked for MFA as I expected. The sign-in logs show that the MFA requirement is satisfied by a claim in the token, which doesn't provide the thorough security I want against token theft. I'm looking for a reliable method to ensure that users have to use Microsoft Authenticator for MFA at every login. I've tried adjusting session controls to force a new sign-in whenever an event requires user authentication strengths, but some clients and users still manage to authenticate using token issuance. Does anyone have suggestions on how to make this work?
2 Answers
It looks like you've already set the sign-in frequency for 'Every time' in your Conditional Access settings, but just keep in mind that this mainly decides how often Entra re-evaluates the session. It doesn't always trigger a fresh MFA prompt if there's already a claim in a session cookie or PRT. Ideally, for this to work effectively, the application should have a mechanism in place to request a new token, like using the forceauthn option, or the session needs to actually be expired or invalid.
You're experiencing the 'MFA requirement satisfied by claim in the token' message because Entra is reusing a token where MFA has already happened. To guarantee a full MFA check for every login:
1. Set up a Conditional Access policy with a sign-in frequency of "Every time" to ensure users are re-authenticated.
2. Keep using your authentication strengths like a password combined with an Authenticator push notification.
3. Check if the SAML app is maintaining sessions as that might prevent fresh logins.
4. Consider disabling persistent browser sessions to enforce MFA every time.
Doing this should give you the real MFA setup you're after!
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux