365 MFA roll out problems and best practice

dougdog
dougdog used Ask the Experts™
on
advice on configuring and using 365 MFA
We are currently testing MFA
We have an issue where when a user changes their password or when they are getting prompted for MFA
Multiple Applications are popping up asking for MFA
sometimes the user gets so many prompts they are entering the wrong code
so when a password is changed or the policy is changed
outlook pops up looking MFA
Skype pops up looking MFA
SharePoint Online Pops up looking MFA
We are also using ADFS and sometimes the federated login can get in a loop asking users to sign in repeatedly
I seen an article about caching but i think this may be only related to MFA on prm server
Im just looking advice and best practice on getting MFA rolled out to all users with as little pain as possible
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
Have you enabled modern authentication for exchange online, skype for business?
Enable it and ensure that you will enable mfa only for those users who have latest office software installed like O365, office 2016 or 2013 sp1 with latest patches
MaheshArchitect
Distinguished Expert 2018

Commented:
You can search experts-exchange.com for modern authentication and you will find lots post

Author

Commented:
looking to hear from people using it
why would it be popping up multiple times etc
how did people find implementing it
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

MaheshArchitect
Distinguished Expert 2018

Commented:
If u have not enabled modern authentication you will face issues after u enabling mfa
However modern authentication itself have its own requirements
Hence at start i asked you question.. But you didn't answered that
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
That's by design. With Modern authentication, and OAuth in general, each application gets its own access/refresh token, those are not shared between apps/services. For example, you cannot login to Outlook and expect Edge or Chrome to automatically log you in. Resetting a user's password invalidates all refresh tokens across all apps, thus you will be prompted for MFA with any app you are currently using.

If you want to minimize the number of times you get prompted, there are certain settings you can configure, such as the "trusted IPs", or "caching" of MFA attempts. This can all be done via the MFA portal page.

You can also look into joining your devices to Azure AD - this is also considered as two-factor auth, but it works differently and you will see much lesser number of prompts.

Author

Commented:
we have modern auth turned on for exchange and skype
does the caching work with cloud mfa or is it on prem mfa
was confused by the mfa server settings in the azure portal
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Works for both. The settings you should be looking at are the ones in the O365 portal: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx?culture=en-US&BrandContextID=O365

Author

Commented:
we do use adfs
sometime i notice  outlook can get in a loop and keep prompting for codes
does caching work with the cloud though?
is it a good idea to remember devices and skip if users are federated
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
For the third time, yes, it does work for the cloud. Whether it's a good idea to use it for your specific scenarios is for you to decide.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial