locked
Question about 'remember multi-factor authentication' setting RRS feed

  • Question

  • If we set a 7 day grace period before a user receives a new MFA challenge/prompt, that applies to the particular device that the app is being accessed from, correct?  For example, let's say i have two different laptops side-by-side.  On the first one i access OWA and check the box "Don't ask again for 7 days".  I then get my MFA approve/deny prompt on my phone (we use Microsoft Authenticator), tap approve, and then webmail opens.  Now if i go to the second laptop and go to the same mailbox via OWA, would i get another MFA prompt, or would i still be covered by the 7 day grace period from the first PC approval?

    I guess what i'm asking is if the "Don't ask again.." setting is per device or per application?  I'm pretty sure it's device, but just wanted to confirm.  Additionally, is there anything that might effect the 7 day grace period on the first laptop?  For example, if i changed network connections a lot (like going from my home wifi, to a friends wifi, to a StarBucks wifi over the course of a day or two)?  Would the changing IP's generate a new MFA approve/deny prompt before the 7 days were up in that scenario?  ..Or any other scenario?  Or is it set in stone on that device so long as the persistent cookie isn't deleted or modified at all.?

    And my last question..  Let's say the first laptop also has has OneDrive for Business on it and OneDrive has MFA applied to it.  I I should expect two receive two prompts in that scenario, correct?  That is, one for OWA and another for OneDrive?  ..And again, even though those two prompts were application specific (i shouldn't expect the first MFA prompt for OWA to cover the MFA requirement for OneDrive), they're application specific only on that one laptop? 

    Thanks in advance.

    *BTW, i did read through https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#suspend-multi-factor-authentication-for-remembered-devices-and-browsers-public-preview but obviously it didn't answer the specific questions i'm asking here.  :)

    Wednesday, July 10, 2019 1:49 PM

Answers