MFA Challenge Frequency? (Less than every 60 days?)

mike2401
mike2401 used Ask the Experts™
on
We’ve enabled Microsoft MFA for our Office 365 Accounts (aka.ms/MFAsetup).

I remain a bit unclear as to how frequently it’s supposed to expire and require a fresh text code.

QUESTIONS:

1. Does it matter if I switch between Starbucks Wifi and McDonalds WiFi?  We have it setup so it never asks for MFA if you are on OUR internal WiFi network.  If I’m not on OUR WiFi, does it matter WHICH WiFi?  Or, is the fact that I'm switching between work Wifi and non-work wifi, is that causing issues?

2 How long should it last?  I believe if using a web browser, there’s a checkbox to ‘don’t ask for 60 days’.  However, if I’m using the Outlook App on a laptop, it doesn’t offer the 60 days.  How frequently is it supposed to ask?

A user was on vacation and was using Outlook on a Surface just fine.  However, as soon as she went on the airplane (American Airlines), it immediately wanted MFA.  Any ideas why?

Thanks for any clarifications,
Mike
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It will ask when you change geographic locations.  The idea is that if you suddenly appear in a distant, or previously unknown geographic location, it will prompt immediately.
... and require a fresh text code.
If you're still using an SMS text message as a 2nd factor, I strongly urge that you change it to the more secure App password for each instance of outlook.  You can avoid the insecure SMS text.  You can also avoid the constant message prompting you for 2FA text.
https://support.microsoft.com/en-us/help/12409/microsoft-account-app-passwords-two-step-verification
https://support.office.com/en-us/article/Create-an-app-password-for-Office-365-3e7c860f-bda4-4441-a618-b53953ee1183
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
Actually, the refresh token you get remains valid across network locations, unless you have specifically configured a Conditional access policy. The reason is simple - Office 365 is a Public SaaS offering, and thus is accessible by anywhere, anytime by design. It doesnt "know" what your internal network is, and generally doesnt care. Now, you as the admin have options to configure restrictions or simply specify "trusted" IPs if you need to, and as I mentioned above you can configure conditional access policies based on location: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

Keep in mind though that the different workloads in O365 might have different settings with respect to the refresh token validity. Some are documented here: https://docs.microsoft.com/en-us/office365/enterprise/session-timeouts

If also depends on the applicaiton, more specifically on the type of authentication it supports. In general, all MS apps support ADAL now, thus will offer refresh token validity of 90+ days. If you are using older versions of Office however, this will not be true.

Furthermore, you can customize the token lifetimes, including the MFA token lifetime, however this method will soon be deprecated, so I would advise against it.

P. S. Stay away from app passwords, those are not "safe", there's a reason why we're not allowed to login to any of the admin tools with app password...

Author

Commented:
Thank you !!

Author

Commented:
Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial