I'm currently using Entra SAML to log into a different application and have set up a conditional access policy that requires MFA for every login. However, I'm noticing that users aren't being prompted for MFA at every sign-in as I intended. The logs indicate that the MFA requirement is being satisfied by claims in the token, which isn't ideal due to the risk of token theft. I want users to have to go through the Microsoft Authenticator for every login. I've explored session controls but some users still authenticate through token issuance. Does anyone have advice on how to enforce this?
2 Answers
You're correct that since you're using SAML, you can enforce this. Make sure your Service Provider is including the ForceAuthn attribute in the request to Entra ID. This is crucial for making sure the MFA process triggers effectively at every sign-in. You can find more about that in the Microsoft documentation on SSO with SAML.
It sounds like you're already on the right track with your Conditional Access settings! Just keep in mind that the "Every time" sign-in frequency mainly affects how often Entra ID checks the session. It doesn't directly trigger an MFA prompt if there's a valid MFA claim in the session. For a real interactive MFA challenge, you might want the application to have a mechanism to request a new token, like using the ForceAuthn flag, especially if the session has expired or is otherwise invalid.
Thanks for the clarification! I learned something new today 😉
Thanks a lot! I can set that in my application. I’ll definitely check it out, hope this resolves the issue!