Hey everyone! I'm trying to figure out if there's a way to streamline our Conditional Access policies so that users only have to complete MFA once when accessing multiple applications. Currently, I find that when I log in through our VPN, I get asked for MFA there, then again in Edge using SSO, and once more in Outlook. Is there a method to have a single MFA prompt shared across all apps on Windows 10/11 devices? Thanks in advance!
2 Answers
You could look into implementing Windows Hello for Business. Once you have that set up, it should help in reducing MFA prompts since it provides a seamless authentication experience. Just make sure you've got it configured correctly in your Conditional Access policies to allow it for users.
Another method is to make your VPN's WAN IP a trusted location. You can set the VPN to require MFA on login, but then configure other apps not to require MFA when accessed from a trusted location. This would work well if you're using a full tunnel VPN or a SASE solution, and make sure to add your office's public IP as a trusted location too.
I've actually suggested this to management already. I'm also considering a more relaxed session time for corporate/VPN IPs, but still asking for MFA every time on the VPN.
To enhance this further, consider a SASE solution that offers multiple public IP options, which could reduce your dependence on the VPN being constantly connected.
I thought that might be the case! So we need to set that up first before we can avoid multiple prompts?