How To Adjust The Multi-Factor Authentification (MFA) For Microsoft 365

Image showing an unknown, hooded figure (presumably a hacker) sitting in front of a laptop
Prevent account attacks with multi-factor authentication

According to Microsoft, Multi-Factor Authentication (MFA) can prevent 99.9% of account attacks. This might sound enticing to some of you. However, you must strive to maintain a balance between security and usability. Occasionally, the MFA can behave so aggressively that you keep getting bombarded with the constant MFA prompts. Fortunately, you have a way to limit these prompts if you work from a trusted device.

In this article, I’ll explain how you can use Azure Active Directory’s (Azure AD) “Remember MFA” feature to adjust your authentication. I’ll show you how to enable it, and how to disable the “Keep Me Signed In” feature in Azure AD. 

Let’s begin with a brief overview of device trust.

The “Remember MFA” Feature

In the context of Azure AD, device trust can have many different meanings. In the context of this article, device trust is when you acknowledge that you regularly work from a particular device, and therefore trust that device. It doesn’t refer to Azure AD device registration.

Using MFA is essential, but there’s no reason for you to constantly get pestered with many prompts if you’re working from your device. “Remember MFA” allows you to defer authentication prompts on devices that you trust. That way, admins in your organization can ask users to use MFA periodically to validate their identities without doing so excessively.

Let’s now go over how to enable MFA.

How to Enable the “Remember MFA” Feature

When enabled, the “Remember MFA” feature tracks the last time you proved your identity through multi-factor authentication. If you use a browser-based application, a persistent cookie allows you to remain authenticated until it expires.

If you work from non-browser applications, the hourly refresh token validation process checks to see whether it requires multi-factor authentication.

It’s a relatively simple process to enable the “Remember MFA” feature. To do so, follow these steps:

  1. Log in to Azure AD
  2. Open the Azure Active Directory Admin Center
  3. Click the Users container
  4. Click the Per-user MFA button at the top right of the image
Screenshot showing the Azure Active Directory Admin Center and the Users container.
Select the Users container and then click “Per-user MFA”
  1. When the Multi-Factor Authentication window appears, click on “service settings” near the top of the page
Screenshot showing the multi-factor authentication window
Click on “service settings”
  1. Select the “Allow users to remember Multi-Factor Authentication on devices they trust” checkbox
  1. Specify the number of days to trust these devices
Screenshot showing the multi-factor authentication service settings
Select the “Allow users to remember multi-factor authentication on devices they trust” checkbox

I’ll now show you how to disable the “Keep Me Signed In” feature in Azure AD.

How to Disable the “Keep Me Signed In” Feature

Now you’ll need to disable the Azure AD “Keep Me Signed In” feature. This feature isn’t compatible with the “Remember MFA” feature, so you have to turn it OFF. To do so:

  1. Log in to the Azure AD Admin Center
  2. Click the Azure Active Directory tab
  3. Choose Company Branding
  4. Click Configure
  5. Deselect the “Show option to remain signed in” checkbox under “remember Multi-Factor Authentication on trusted device.”
Screenshot showing the Company Branding window with a configuration section on the right
Deselect the “Show option to remain signed in” checkbox found at the bottom right here

Now you have it! Overall, this is a straightforward procedure. You can now rest easy knowing you’ll no longer receive those pesky MFA prompts.

The Bottom Line

In this article, I talked about authentication prompts and how frustrating they can be to deal with. As a solution, I showed you how to enable Azure AD’s “Remember MFA” and “Keep Me Signed In” features. Hopefully, this article will help you and your organization deal with those obnoxious multi-factor authentication prompts.

If your organization requires better security, it’s essential you ensure that you don’t get constant prompts to authenticate. Excessive prompts can frustrate you and slow down your productivity.

Do you have more questions on Multi-Factor Authentication? Check out the FAQ and Resources sections below!

FAQ

Why doesn’t the Azure Active Directory Admin Center show the “Per-User MFA” setting?

The main reason the Per-User MFA setting sometimes disappears is because of inadequate display resolution. At lower resolutions, the console tends to hide this option.

How long will Microsoft allow a trusted device to remember Multi-Factor Authentication? 

A trusted device can remember multi-factor authentication for as little as a single day or for as long as a year. However, Microsoft recommends that you set the number of days to a value of 90 or higher if you use this feature. The default value is 90 days.

Does the “Remember MFA” feature require Conditional Access?

The “Remember MFA” feature doesn’t require Conditional Access. It’s a feature that Microsoft provides organizations that don’t have a subscription that includes Conditional Access. Organizations with conditional access can use the “Sign in Frequency” setting instead.

Is the “Remember MFA” feature an alternative to the “Keep Me Signed In” feature?

Yes, you can use the “Keep Me Signed In” feature or the “Remember MFA” feature. You can’t use them together. Otherwise, Azure AD will create a verification loop and won’t authenticate users.

Will the “Remember MFA” feature work for non-browser-based applications?

If a user uses a browser-based application, they’ll see a Don’t Ask Again for X Days” prompt. If the user uses a non-browser application, Windows will usually assume that the user doesn’t need any more reminders until the refresh period expires.

Resources

TechGenix: Newsletters

Subscribe to our newsletter for more quality content.

TechGenix: Article on MFA Changes and Azure Premium

Learn about the MFA-related challenges you may encounter when enabling Azure AD Premium-related features.

TechGenix: Article on MFA, Office 365, and PowerShell

Read more on how to collect users’ MFA information using PowerShell.

TechGenix: Article on Microsoft 365 Passwords and MFA Security

Find out how to ditch Microsoft 365 passwords in favor of better MFA security.

Microsoft: Guide on Setting Up MFA for Microsoft 365

Learn how to set up MFA for Microsoft 365.

Microsoft: More Information on MFA

Discover the basics of multifactor authentication.

Microsoft: How Reauthentication Prompts Work

Learn how reauthentication prompts work.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top