skip to Main Content

Move from remember MFA on trusted device to Conditional Access sign-in frequency

You have enabled remember Multi-Factor Authentication on trusted device in Office 365 Multi-Factor Authentication. When you look at the setting, you see that Microsoft recommends using Conditional Access sign-in frequency. Let’s look at how to move from remember Multi-Factor Authentication on trusted devices to Conditional Access sign-in frequency.

Introduction

Moving from Microsoft 365 MFA to Azure Active Directory Conditional Access can be done in three steps:

  1. Move from per-user MFA to Conditional Access MFA
  2. Move from MFA trusted IPs to Conditional Access named locations
  3. Move from remember MFA on trusted device to Conditional Access sign-in frequency (this article)

Conditional Access sign-in frequency

You want to move from remember Multi-Factor Authentication on trusted device to Azure Active Directory Conditional Access sign-in frequency. Before you do that, what are the advantages and disadvantages?

Advantages for Azure Active Directory Conditional Access sign-in frequency:

  • Sign-in frequency
  • Persistent browser session
  • Integrates with Azure AD MFA

Disadvantages for Azure Active Directory Conditional Access sign-in frequency:

  • Pay for the subscription

Conditional Access requires Azure AD Premium 1 or 2. We recommend explaining to the customer why they should pay (subscribe) for Azure AD premium. Tell them the benefits and how security will improve. Also, managing will be much easier for the administrators, which will save time.

Check Azure AD Premium license

Check that you have Azure AD Premium plan 1 or 2. Sign in to Microsoft Azure. In the portal, navigate to Azure Active Directory > Overview. In the example below, the tenant got the Azure AD Premium P2 license.

Move from remember MFA on trusted device check Azure AD license

Remember multi-factor authentication on trusted device

Verify first that the setting remember multi-factor authentication on trusted device is enabled. If yes, you will copy the number of days that are set and disable the setting.

Verify remember multi-factor authentication on trusted device

Navigate to Azure Active Directory > Security > Conditional Access > MFA > Getting started. Click on Additional cloud-based MFA settings.

Another way is to go directly to the Additional cloud-based MFA settings page.

Move from remember MFA on trusted device Configure additional cloud-based MFA settings

A new page will show up. Go to the section remember multi-factor authentication on trusted device. Check if the setting Allow users to remember multi-factor authentication on trusted device is enabled.

In our example, the number of days users can trust devices for is 30 days.

Note: For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to ‘Remember MFA on a trusted device’ settings. If using ‘Remember MFA on a trusted device,’ be sure to extend the duration to 90 or more days.

Verify setting allow users to remember multi-factor authentication on devices they trust (between one to 365 days)

Uncheck remember multi-factor authentication on trusted device

Copy the number of days and save it to Notepad. After that, uncheck Allow users to remember multi-factor authentication on devices they trust (between one to 365 days). Click on Save (it’s down below).

The unchecked setting will look like this.

Uncheck allow users to remember multi-factor authentication on devices they trust (between one to 365 days)

Enable Conditional Access sign-in frequency

Sign in to the Azure portal. Navigate to Azure Active Directory > Security > Conditional Access. Click on the MFA policy to edit the policy. Another option is to create a new policy for the sign-in frequency setting.

If you don’t have an MFA policy, read the article Configure Azure AD Multi-Factor Authentication.

In the Conditional Access policy, navigate to Session. Enable Sign-in frequency and insert the days that you copied in the previous step. In our example, it’s 30 days. Enable Persistent browser session and choose in the dropdown menu for Always persistent. Click on Select.

Ensure that you enable the policy. Click on Save.

That’s it!

Read more: Conditional Access MFA breaks Azure AD Connect synchronization »

Conclusion

In this article, you learned how to move from remember MFA on trusted device to Conditional Access sign-in frequency. Check if the setting Allow users to remember multi-factor authentication on devices they trust (between one to 365 days) is configured and copy the number of days. After that, uncheck the setting.

Create a new Conditional Access policy or edit an existing Conditional Access policy. Enable the sign-in frequency setting to extend session lifetimes and add the number of days that you copied. As of last, verify your work and sign in with a test account.

Did you enjoy this article? You may also like Restrict access to Azure AD administration portal. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *