I've had some experience with multi-factor authentication (MFA), but recently I've been running into a frustrating problem. Users set up the Authenticator app using their work email and everything works fine at first. However, after the 90-day session period ends, they get logged out of the app and can't receive prompts to log back into their accounts.
I've been advising people to delete the app, skip the sign-in window, and then wipe their MFA methods to set everything up again, which seems to solve the problem.
Is there a way to bypass the sign-in prompt for the MFA app through Conditional Access (CA) policy? It would be great to have a specific CA policy to add individuals temporarily so they can get back into the app and re-authenticate. What successful methods have you found to manage this issue?
4 Answers
Have you checked if users are given an option to specify whether their accounts are for personal use or work/school? That might affect how MFA is applied to their accounts, potentially leading to these issues.
To implement a solution, you'll want to set up a Conditional Access policy for all users but exclude those who are facing this MFA issue until it's sorted out. This way, they can log back in more easily and hopefully resolve the problem.
I haven’t encountered the 90-day logout issue you’re mentioning. Is it possible users have just not used the app in that timeframe? I have seen users get stuck in a 'need more information' loop, and removing them and adding them back usually clears that up, but not a 90-day auto-kick.
This seems less like a problem with the Authenticator app itself and more about how the MFA app sign-in is being treated by Conditional Access. Before trying any workarounds, it’s good to check if the sign-in is categorized as a typical cloud app sign-in under your existing CA policies.
That makes sense, but I’m more interested in preventing this from happening at all. Users can’t access the Authenticator app because it asks for an MFA code that's generated by itself!