I set up a conditional access policy this week that requires users to be physically in the country to access cloud apps through their work accounts. Unfortunately, users are getting logged out every hour unless they manually sign back in because it seems the Microsoft Authenticator isn't automatically sharing their location as expected. I thought the issue might be related to needing the app's background usage to be set to 'Unrestricted'. There's a Microsoft article that mentions the app should share location silently for 24 hours if permissions are granted. However, when I tested it, I still had to manually click to sign back in. Furthermore, it mentions that for GPS location use, MFA push notifications need to be enabled, but our policy already requires MFA. I'm at a loss here. Microsoft support suggested using IP-based location instead, which isn't ideal for me as my IT manager wants both options for better security. Has anyone else tackled this issue? Am I missing something, or is it just impractical to use GPS with all apps?
2 Answers
I hear you, but honestly, Microsoft's suggestion might be spot on. The more complex you make the sign-in process, the more issues you're likely to face. It's all about finding that sweet spot between security and user convenience. Just because GPS conditional access is an option doesn't mean it's the best choice, especially if it disrupts workflows.
Fair point! Just trying to figure it out though, you know?
On iOS, there's a restriction on using location services in the background unless a user explicitly allows it. So, if you're testing this on iPhones, that could be your issue. They have to authorize location use every so often, which may break what you're trying to achieve with silent location sharing. Maybe check if your users are on iOS and verify their settings?
Totally get that! But it feels like they shouldn’t offer GPS if it’s this problematic. I mean, it’s supposed to work seamlessly but clearly isn’t. If it continues to disrupt users, it might be better to stick with IP-based access for now.