Hey everyone! I need some help with a situation I've got. One of our users keeps getting prompted for multi-factor authentication (MFA) more often than he'd like, and I'm tasked with finding a solution. Here's the scoop: this user has multiple devices—a home computer, a travel laptop, and an office PC, plus an iPhone. He uses cellular data quite a bit on his laptop, which means his login IP addresses change frequently.
All of his devices are managed through Intune, and we have conditional access set up to block sign-ins from legacy apps and untrusted locations. However, I'm seeing many sign-in attempts from untrusted locations that are failing with incorrect passwords, along with messages like "Sign-in was blocked because it came from an IP address with malicious activity" and the error code 50053. Could these failed sign-ins be the reason he keeps getting MFA prompts?
3 Answers
If there are a lot of unfamiliar sign-ins and authentication requests, it might be a good idea to change his password and MFA settings. Keep in mind, if a login fails, it shouldn't trigger MFA since that happens after the initial password check. Also, using the 'Revoke Sessions' option in Azure AD can help ensure that any cached information isn’t causing the trouble.
Right! It's crucial to keep everything updated, especially if the account's been exposed before.
How often is he actually getting prompted for MFA?
Seems like it's about every second day, but not entirely sure.
It sounds like the frequent prompts might be related to incorrect password attempts from cached credentials across his devices. If he's switching between devices often, those cached credentials could trigger MFA requests more frequently. You might want to try signing out all sessions and revoking MFA tokens; forcing him to log in on each device can often clear up those bad cached credentials.
That makes sense! A forced logout sometimes helps in cases like this, particularly when one device is acting up.
Totally agree! If there's an old device still connected, it could cause problems too.
That's spot on! Changing the password could prevent unauthorized access, especially if the requests are from unexpected locations.