365 MFA roll out problems and best practice

advice on configuring and using 365 MFA
We are currently testing MFA
We have an issue where when a user changes their password or when they are getting prompted for MFA
Multiple Applications are popping up asking for MFA
sometimes the user gets so many prompts they are entering the wrong code
so when a password is changed or the policy is changed
outlook pops up looking MFA
Skype pops up looking MFA
SharePoint Online Pops up looking MFA
We are also using ADFS and sometimes the federated login can get in a loop asking users to sign in repeatedly
I seen an article about caching but i think this may be only related to MFA on prm server
Im just looking advice and best practice on getting MFA rolled out to all users with as little pain as possible
LVL 1
dougdogAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Have you enabled modern authentication for exchange online, skype for business?
Enable it and ensure that you will enable mfa only for those users who have latest office software installed like O365, office 2016 or 2013 sp1 with latest patches
MaheshArchitectCommented:
You can search experts-exchange.com for modern authentication and you will find lots post
dougdogAuthor Commented:
looking to hear from people using it
why would it be popping up multiple times etc
how did people find implementing it
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

MaheshArchitectCommented:
If u have not enabled modern authentication you will face issues after u enabling mfa
However modern authentication itself have its own requirements
Hence at start i asked you question.. But you didn't answered that
Vasil Michev (MVP)Commented:
That's by design. With Modern authentication, and OAuth in general, each application gets its own access/refresh token, those are not shared between apps/services. For example, you cannot login to Outlook and expect Edge or Chrome to automatically log you in. Resetting a user's password invalidates all refresh tokens across all apps, thus you will be prompted for MFA with any app you are currently using.

If you want to minimize the number of times you get prompted, there are certain settings you can configure, such as the "trusted IPs", or "caching" of MFA attempts. This can all be done via the MFA portal page.

You can also look into joining your devices to Azure AD - this is also considered as two-factor auth, but it works differently and you will see much lesser number of prompts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dougdogAuthor Commented:
we have modern auth turned on for exchange and skype
does the caching work with cloud mfa or is it on prem mfa
was confused by the mfa server settings in the azure portal
Vasil Michev (MVP)Commented:
Works for both. The settings you should be looking at are the ones in the O365 portal: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx?culture=en-US&BrandContextID=O365
dougdogAuthor Commented:
we do use adfs
sometime i notice  outlook can get in a loop and keep prompting for codes
does caching work with the cloud though?
is it a good idea to remember devices and skip if users are federated
Vasil Michev (MVP)Commented:
For the third time, yes, it does work for the cloud. Whether it's a good idea to use it for your specific scenarios is for you to decide.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.