Hey everyone! I'm trying to figure out if there's a way to streamline our Conditional Access policies so that users only have to complete MFA once when accessing multiple applications. Currently, I find that when I log in through our VPN, I get asked for MFA there, then again in Edge using SSO, and once more in Outlook. Is there a method to have a single MFA prompt shared across all apps on Windows 10/11 devices? Thanks in advance!
1 Answer
Another method is to make your VPN's WAN IP a trusted location. You can set the VPN to require MFA on login, but then configure other apps not to require MFA when accessed from a trusted location. This would work well if you're using a full tunnel VPN or a SASE solution, and make sure to add your office's public IP as a trusted location too.
To enhance this further, consider a SASE solution that offers multiple public IP options, which could reduce your dependence on the VPN being constantly connected.
I've actually suggested this to management already. I'm also considering a more relaxed session time for corporate/VPN IPs, but still asking for MFA every time on the VPN.