Last month, I made the case to move from per-user MFA to Conditional Access to leave behind the remnants of the PhoneFactor infrastructure, presented as old pages linked to from the Azure Portal.
Today I want to talk about the ‘Allow users to remember multi-factor authentication on devices they trust’ option, that allows administrator to specify a number of ‘Days before a device must re-authenticate (1-60):’
I see many organizations using this option, believing that it helps their people with less authentication prompts. Often, the setting is set at 14 days, as seen in the above screenshot.
Why you’d want to move away from ‘Allow users to remember MFA on devices they trust’
As documented by Microsoft in its Optimize reauthentication prompts and understand session lifetime for Azure Multi-Factor Authentication page, this setting can have negative side-effects through its persistent cookie:
- It overrides the ‘Keep me signed in’ (KMSI) setting in Company Branding. Therefore, it prompts for re-authentication more often than when the setting is not configured.
- It overrides the default behavior for modern authentication clients (like Microsoft Outlook) who only prompt every 90 days, by default.
Why you’d want to use Conditional Access
Conditional Access is fast becoming the one-stop-shop for all Microsoft Cloud authorization decisions. Switching from the ‘Allow users to remember multi-factor authentication on devices they trust’ option to Conditional Access, allows Azure AD admins to:
- Set persistent cookies per Microsoft Cloud application, Azure AD-integrated application and Azure AD Application Proxy-published application, allowing for fine-grained ‘Remember multi-factor authentication’ settings
- Leave the ‘Keep me signed in’ (KMSI) world behind, where people in the organization need to tick the box themselves at the Stay signed-in? screen. Now, an admin controls this behavior centrally.
Why you might not want to make the switch
One of the big differences between the ‘Allow users to remember MFA on devices they trust’ option and Conditional Access, is that the option is available even for Azure AD Free tenants, while Conditional Access requires Azure AD Premium licenses for people in scope.
As Enterprise Mobility + Security E3, E5, Microsoft 365 Business Premium, Microsoft 365 Business Premium Free (for non-profit organizations), Microsoft 365 Enterprise F1, F3, E3, E5 and Microsoft 365 for Education A3, A5 all contain Azure AD Premium P1 licenses, most organizations will be ready to go with Conditional Access.
How to make the switch
Switching from the ‘Allow users to remember MFA on devices they trust’ option to Conditional Access requires three actions:
- Disable the ‘Allow users to remember multi-factor authentication on devices they trust’ option
- Create the corresponding Conditional Access policy that defines the same coarse-grained ‘Persistent browser session’ control
- Tweak your Conditional Access policies to define the optimal session control settings for your organization’s use cases
Disable the ‘Allow users to remember multi-factor authentication on devices they trust’ option
First, we disable the ‘Allow users to remember multi-factor authentication on devices they trust’ option. As this setting overrides all other settings, we need to clear it first. Perform these actions:
- Start a browser and navigate to the Azure AD Portal.
- Sign in with an account with Global Administrator privileges.
Perform multi-factor authentication when prompted.
- In the left navigation menu, click Azure Active Directory.
- In Azure AD’s navigation menu, click Security.
- In the Security navigation menu, click on MFA under Manage.
- Follow the Additional cloud-based MFA settings link in the main pane.
A new tab or browser window opens.
- In the remember multi-factor authentication (learn more) area, clear the option labeled Allow users to remember multi-factor authentication on devices they trust if it is enabled.
- If the option was enabled, note the number of Days before a device must re-authenticate (1-60):. We’ll use this value when we create the Conditional Access policy to mimic the option.
- Click the save button at the bottom of the screen.
- Close the browser tab, or window to go back to the Azure Portal.
Create the corresponding Conditional Access policy
Off course, now the Azure AD tenant operates with default settings. We need to address this issue by creating the same coarse-grained policy through Conditional Access as our new starting point. Perform these actions:
- While still signed in to the Azure AD Portal, navigate back to the main Azure AD Tenant level or the Security level through the bread crumbs in the top bar of the Azure Portal.
If you’ve closed the browser window, or only want to perform this part of the steps, complete steps 1 through 4 of the steps for disabling the ‘Allow users to remember multi-factor authentication on devices they trust’ option above.
- In the Security navigation menu, click on Conditional Access.
- In the Conditional Access | Policies main pane, click the + New policy link in the top action bar.
The New pane appears.
- In the Name field, enter a name for the Conditional Access policy following your organization’s naming policy for policies.
- Under Assignments, click on the 0 users and groups selected status for Users and groups.
- Select the All users option.
- Under Assignments, click on the No cloud apps or actions selected status for cloud apps or actions.
- Select the All cloud apps option.
- Then, under Access Controls, under Session, click the 0 controls selected link.
The Session blade opens
- On the Session blade, select the Sign-in frequency option. This option defines the time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer.
- In the first field enter the number of days for the Days before a device must re-authenticate (1-60): option that we’ve noted in step 8 of the previous set of steps.
- In the second field, select Days from the drop-down list.
- On the Session blade, also select the Persistent browser session option. This option enables persistent browser session in which users remain signed in after closing and reopening their browser window. This setting works correctly when All cloud apps are selected, does not affect token lifetimes or the sign-in frequency, but will override the Show option to stay signed-in policy in Company Branding.
- In the Persistent browser session field, select Always persistent from the drop-down list.
- Click Select at the bottom of the blade to save the control.
- At the bottom of the New pane, under Enable policy, select On.
- Click the Create button.
You will be linked back to the Conditional Access | Policies pane
- In the right top corner of the Azure AD Portal, click on the accounts name or profile picture and click on Sign out from the context menu.
- Close the browser.
Tweak your Conditional Access policies
The main reason to switch from from the ‘Allow users to remember MFA on devices they trust’ option to Conditional Access, of course is to have fine-grained control over the frequency we want people in the organization to sign-in.
By creating more Conditional Access policies, creating exceptions on the above Conditional Access policy for specifics (groups of) users and delivering different Persistent browser settings and Sign-in frequency settings, the experience for people in the organization can be tailored to their needs and expectations.
One by one, the settings in the legacy PhoneFactor pages is being replaced by better alternatives within the Azure Portal.