Azure MFA Authentication Loop Fix

Issue: Office 365 Web apps users (SharePoint Online, Office.com, OWA etc.) will receive the MFA prompt every time after opening the browser.
Ideally the browser should honor the “Stay signed in?” messages when there are no session lifetime settings configured.
When the user click Yes, the persistent browser cookie will get saved and work for 90 days. However if the user states changes it will be refreshed.

I’ve recently noticed, even though the above setting is setup, users will still get the re-authenticate when they close and open web apps. This is the same even after clearing browser cache and updating the browser.

Solution:

If you are using Conditional Access Policies to configure MFA, make sure you have check the Always Persistent option in the Session section in your MFA Conditional Access Policy.

Note that this will override the “Stay signed in” message and the cookie will get saved regardless until the user state changes. This is best to setup in a non Azure AD managed device, but still you can use it in a Azure AD Registered device or a Non-managed device according to Microsoft.

If you are using the free tire of Azure AD, make sure the Remember my device option is selected. Users will have option to consent to remember the device.

MFA Conditional Access Policy view

Azure AD Free tier Setting

Azure AD -> Users -> Multi Factor Authentication -> Service Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.