Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Microsoft

The function of “remember multi-factor authentication”

If the customers use the function of “remember multi-factor authentication,”  they don’t meet the “Partner Security Requirements”?

 

Regarding when to require Multi-factor authentication, it can be extended for a certain period depends upon each user (Within the extended period, MFA is not required)

 

# MFA has been still applied to the users. so that I believe using this function meets the security requirements.

 

<reference>

Title : Remember Multi-Factor Authentication

URL : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#remember-multi-factor-authentication

 

<Other reference infomation>

Title : Partner Security Requirements

URL : https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

 

Title : Frequently asked questions about the partner security requirements

URL : https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

 

 

1 REPLY 1
Microsoft

The setting for remembering MFA on devices will not work once technical enforcement is enabled - you can still enable it, but regardless of what has been set here the user will be forced to do MFA. 

 

However, as mentioned in other threads before, Using Winodws 10 in Hybrid Joined scenario (when MFA was enabled when Hybrid join happened) or when Windows Hello for Business is used, it might be that MFA prompts are rarely occuring since in this case the device already has a token that includes the MFA claim - you will see in the AAD sign-in logs that MFA was not triggered because the token already features the MFA claim.

See also https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim 

 

Kind regards,
Janosch