I'm dealing with a puzzling situation where one of my users on a Microsoft 365 tenant has to sign in daily, and sometimes even more frequently. This user accesses their account on multiple devices, including a laptop and desktops at different locations. I'm at a loss because excluding them from multi-factor authentication hasn't resolved the issue. Interestingly, no other users in our tenant are experiencing similar problems, and there aren't any conditional access policies in place that would affect browser persistence.
I've also looked into local settings that might affect this, such as roaming profiles or group policies that would clear cookies, but those aren't applicable either. The user has tested other services, like their Hotmail account, and those remember their sign-in, which leads me to believe the issue is isolated to their Office 365 account. Any suggestions on how to tackle this?
5 Answers
It sounds like the issue might be tied to conditional access settings. It could be worthwhile to check the user sign-in logs in Azure. Look for the first sign-in of the day and see if there's a specific reason listed for the login prompt, which might indicate a conditional access policy that’s causing the trouble.
You might want to see if that user is listed among the 'risky users.' Sometimes, being flagged can affect sign-in stability. It could also be worth noting if there was a recent policy change from Microsoft that might have been applied without your knowledge.
I've dealt with a similar situation before. Start by looking at the Entra ID sign-in logs for that user, especially filtering for OfficeHome or Office.com. Those logs typically provide details on why the sessions are challenged – it could be from sign-in frequency settings, token validity, compliance issues, or more. Double-check the conditional access tab as well, sometimes those session controls can cause frequent logouts even when you think they're not active.
Is there any chance they’re using a VPN? Frequent changes in IP addresses can trigger re-authentication requests, leading to the sign-in hassle. Also, ensure the machines are properly registered with Entra, as that can lead to excessive MFA prompts.
I encountered this problem as well, linked to a policy Microsoft enabled earlier this year. If you want, I can check on that specific policy next week. Once I disabled it, the sign-in hassle vanished for my user.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures