Will IP changes trigger reauthentication for Microsoft Conditional Access MFA?

Question

I am currently implementing Azure Conditional Access for a large group of users. Everything looks good, but we are getting complaints that people need to reauthenticate to often. We have configured the "Rememeber MFA" checkbox for 30 days. I would expect that if somebody logs in on device X with this checkbox checked, they would not have to provide a MFA token for the next 30 days; independent of their IP. But it seems that people get MFA challenges when switching a lot from IPs.

Is this correct behaviour? And what is the trigger for requesting a new MFA token? Also, suggestions to "fix" this behaviour?

Do your conditional access rules specify trusted IP address ranges? — Greg Askew, Feb 21 '20 at 10:45

score 0 · Answer 1 · answered Feb 21 '20 at 09:04

0

The remember MFA functionality is built on a the device having a cooking installed, so IP changes should not impact this. Is it possible that users are either deleting the cookie or using a different browser or device?

answered Feb 21 '20 at 09:04

Sam Cogan

38,736
6
78
114

Will IP changes trigger reauthentication for Microsoft Conditional Access MFA?

1 Answers1