We help IT Professionals succeed at work.

How does 2 Factor Authentication work, exactly, for Office 365?

How does 2 Factor Authentication work, exactly, for Office 365?  We are interested in possibly implementing it - but we don't want users to have to CONSTANTLY re-authenticate, either.  And are there control options for how it works - or is it Microsoft-controlled?

Thank you
Watch Question

Most Valuable Expert 2015
Distinguished Expert 2019
It's not constantly. It's based on token expiration, which in turn depends on several factors as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

TL;DR version of the article is that if you are actively using a given app, you dont need to reauthenticate, and can potentially use the service indefinitely without seeing a prompt. If you want to minimize the number of prompts, leave the defaults. If you want users to be prompted when they move to another location, or there is some risk event, use Conditional access policies. If you want them to be prompted more often, use the controls listed in the article above, or as are fairly complicated, the new method: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Damian GardnerIT Admin


Ok - that helps.  Thanks Vasil