I'm curious if anyone else has implemented conditional access policies in their Microsoft 365 tenant. Recently, I've noticed that when the token for Multi-Factor Authentication (MFA) expires, users are logged out of their applications and forced to sign in again for each desktop app. I'm under the impression that a single sign-in should suffice, but I'm receiving a lot of complaints from users and upper management about this hassle. Any suggestions or tips on how to improve this situation?
3 Answers
Have you enabled seamless single sign-on (SSO)? That could help reduce the need for multiple logins. Just a heads-up, though, some people see seamless SSO as a potential security risk, so it's a bit of a trade-off.
Check the legacy per-user MFA settings and make sure those are turned off. I had issues with Outlook prompting users, even though I didn’t set any session expiration in the conditional access policies. Also, ensure that the option to remember devices is switched off—basically do a factory reset on all legacy MFA settings.
They retired those legacy per-user MFA settings back in October, so that might not apply anymore.
We set up SSO in our organization so that users don't have to log into their desktop apps after they've logged into their system and authenticated with DUO. It has worked well for us!
Nice! How exactly did you configure it?
True, but making users constantly reauthenticate for every app could lead to an even bigger security risk.