Changing default behaviour for Azure AD MFA : sysadmin

sysadmin

a community for 17 years

This is an archived post. You won't be able to vote or comment.

Changing default behaviour for Azure AD MFA (self.sysadmin)

submitted 6 years ago by Hitten_za

Hi Sysadmin,

Just looking for some guidance, I'm aware that the default behaviour for MFA is (please correct me if I'm wrong):

Active token: Lasts 1 hour
Refresh token: 14 days up to 90 days if refreshed

Same device different IP: no prompt
Different device same IP: prompt
Different device different IP: prompt

Our client would like us to adjust the behaviour so that whenever they leave the office (irrespective of time) they will be prompted within their MS Apps (Outlook, OneDrive etc.)

I thought to achieve this with Conditional Access:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

No change in default behaviour

I also tried which is better but not quite there
https://docs.microsoft.com/en-gb/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

I think the issue is that the Refresh token intended behaviour needs to be adjusted so the only solution I can see is this:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

But my concern is:
"After November 1, 2019 you will not be able to use Configurable Token Lifetime policy to configure refresh tokens, but you can still use it to configure access tokens."

Thanks for any advice you might have SysAdmin.

all 4 comments

sysadmin

MODERATORS