Azure MFA have been the cause of many frustrations since our IT department activated it. I post here in the hope that it is a misconfiguration on their part.
- We use Azure AD backed by an on-prem ActiveDirectory and ADFS.
- Remember multi-factor authentication is set to 1 day
Pain points:
- When I start the day, I need to logon separately in all applications and accept the MFA request for each. It looks like the "remember 1 day" setting does not work.
- MFA request are sent unattended in the weekend. It looks like Office applications are trying to logon without user interaction even if the computer is locked.
So the question is, is there a way to fix those pain points or is it just the way it is? The IT department is strict on keeping the "remember 1 day" setting and not use trusted IPs.
EDIT
The issue might be caused because the office app do not share the cached credentials, so you need to separately log on in each application (and accept the MFA).
Regarding the unattended MFA request, this is caused by the Office Apps requesting a logon without user interaction (even is the windows session is locked).
So these pain points are probably not caused by Azure MFA, the web experience is fine. The issue is in the Office Apps that doesn't have a good user experience with logons.
Best Answer
Do you mean after remember, when you login still require to use phone to authenticate it?
Remembering Multi-Factor Authentication works by setting a persistent cookie on the browser when a user checks the "Don't ask again for X days" box at sign-in. The user won't be prompted for MFA again from that browser until the cookie expires(still need password).
Also, if we want to use this feature, we should use the same browser and same device, or we should clear their cookies, they are prompted to verity again.
Maybe your office applications refresh by itself, or someone try to login your account, please connect your Azure AD admin, check the logs.
We can find logs here: