Change token length in Office 365 for Multi-factor authentication
Hello , I've enabled Multi factor Authentication in Office 365 in a test group. The app password seems to be OK when logging into Outlook or another MS app but the Office 365 Portal makes me authenticate every time I log into the Office 365 portal. (my users would revolt if I put this in place) I understand there is a token being used to control the process but how would I increase the token length to 1 or 2 weeks from a previously authenticate machine. Is this possible? I understand the importance of needing to authenticate on a machine for the first time.
Also, One of the authentication methods I would like to use is a call back to a desk phone/extension is grayed out in the O365 portal during the user registration for MFA. Anyway to fix this?
Thanks in advance
Also, One of the authentication methods I would like to use is a call back to a desk phone/extension is grayed out in the O365 portal during the user registration for MFA. Anyway to fix this?
Thanks in advance
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Vasil, Is there a PowerShell command I can use that would allow me to view the existing policies for Token Timeouts? I had my regular user try to access the O365 Portal again and she still is forced to authenticate through her phone before it logs her in. Here last successful authentication/login was about an hour ago
ASKER
Where would I find the conditional policies?
ASKER
We don't have azure Premium in Office 365 we are using the free version. It looks like Conditional access policies require an upgrade. SO hopefully they are defaulted at the 90 day timeout
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Needed to open a case with Microsoft to confirm the requested modifications could not be made
For the token - validity should be 90 days by default/unlimited with use. Unless you have made changes to the default lifetimes (https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/active-directory-configurable-token-lifetimes.md). Bare in mind that specific applications (mostly the different admin centers or anything exposing security related information) will actually *require* you to perform MFA challenge every time. In addition, conditional policies can be configured to again require MFA in some scenarios, so check for that.
For the Office phone, check whether the corresponding setting is enabled under https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset