I'm trying to get a better grasp on how Multi-Factor Authentication (MFA) functions for company devices, particularly those that are enrolled in Entra or are hybrid devices. We have conditional access policies in place that require MFA, but it seems like users are only prompted during the initial setup and not afterward. In the Entra sign-in logs, I'm seeing indications that users have met the authentication requirements, like 'the user has satisfied this authentication strength' and 'authentication method: previously satisfied.' Is it correct to think that something is being cached in the browser, allowing the device to bypass further prompts? What steps can I take to ensure users are prompted for MFA more frequently?
2 Answers
Are you using Windows Hello for Business or macOS platform SSO? If those are in place, they're likely meeting the MFA requirements, which is why users aren’t being prompted again. Increasing prompts can lead to a frustrating experience for users.
Exactly! The first factor is the PIN or password (something you know), and then the compliant device acts as the second factor (something you have).
To make your MFA prompts more frequent, try adjusting the sign-in frequency settings in your Conditional Access policy under the SESSIONS section. You can either decrease the duration options or set the policy to require MFA every time.
Just a heads up—adjusting timeout settings may not immediately expire active auth tokens. Sometimes you need to clear cookies manually. I had to do this when I changed my Google password expiration settings.
No, we're not using Hello or platform SSO.