MFA Challenge Frequency? (Less than every 60 days?)

We’ve enabled Microsoft MFA for our Office 365 Accounts (

I remain a bit unclear as to how frequently it’s supposed to expire and require a fresh text code.


1. Does it matter if I switch between Starbucks Wifi and McDonalds WiFi?  We have it setup so it never asks for MFA if you are on OUR internal WiFi network.  If I’m not on OUR WiFi, does it matter WHICH WiFi?  Or, is the fact that I'm switching between work Wifi and non-work wifi, is that causing issues?

2 How long should it last?  I believe if using a web browser, there’s a checkbox to ‘don’t ask for 60 days’.  However, if I’m using the Outlook App on a laptop, it doesn’t offer the 60 days.  How frequently is it supposed to ask?

A user was on vacation and was using Outlook on a Surface just fine.  However, as soon as she went on the airplane (American Airlines), it immediately wanted MFA.  Any ideas why?

Thanks for any clarifications,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It will ask when you change geographic locations.  The idea is that if you suddenly appear in a distant, or previously unknown geographic location, it will prompt immediately.
... and require a fresh text code.
If you're still using an SMS text message as a 2nd factor, I strongly urge that you change it to the more secure App password for each instance of outlook.  You can avoid the insecure SMS text.  You can also avoid the constant message prompting you for 2FA text.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vasil Michev (MVP)Commented:
Actually, the refresh token you get remains valid across network locations, unless you have specifically configured a Conditional access policy. The reason is simple - Office 365 is a Public SaaS offering, and thus is accessible by anywhere, anytime by design. It doesnt "know" what your internal network is, and generally doesnt care. Now, you as the admin have options to configure restrictions or simply specify "trusted" IPs if you need to, and as I mentioned above you can configure conditional access policies based on location:

Keep in mind though that the different workloads in O365 might have different settings with respect to the refresh token validity. Some are documented here:

If also depends on the applicaiton, more specifically on the type of authentication it supports. In general, all MS apps support ADAL now, thus will offer refresh token validity of 90+ days. If you are using older versions of Office however, this will not be true.

Furthermore, you can customize the token lifetimes, including the MFA token lifetime, however this method will soon be deprecated, so I would advise against it.

P. S. Stay away from app passwords, those are not "safe", there's a reason why we're not allowed to login to any of the admin tools with app password...
mike2401Author Commented:
Thank you !!
mike2401Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.