MFA: remember device permanently (& remember per device, not per app)
1. Remove the 60-day (max) limit on remembering Office 365/Azure MFA authorisation for a device/app.
2. Make it so that MFA is remembered once per *device* (well, per user account per device), not once per app (for all Microsoft apps that authorise across all kinds of devices).
Rationale: Having to refresh the MFA authorisation periodically does not add to security, because we already know that the app or device is trusted and if that changes (e.g. device is lost or stolen), the correct procedure to follow is for the admin to immediately revoke the authorisation for the device and/or account.
Additionally, when using several different Microsoft apps on multiple devices (computer, mobile phone, tablet), currently every one of our 48 staff has to re-authorise for MFA 5 or more times every 60 days (Windows: once for Outlook/MS Office, once for Office 365 apps on the web accessed via Chrome, once for OneDrive client; Android or iPhone: once for Outlook app, once for Office 365 apps accessed via Chrome app).
Worse, the OneDrive client app on Windows falls over and does not seem to restart itself if this process is not completed properly, so every 60 days we have several complaints from users about their files not syncing - this can affect vulnerable members of our community given the work we do.
It is not a matter of making it 90 days or some other length of time (even 365 days) - having to renew the MFA authorisation periodically actually *decreases* security because users get fed up with having to re-enter credentials over and over, and they are then less careful in general with authorisations that pop up, leaving them open to phishing scams on their other online accounts.
Remembering MFA authorisation once per user account per device is just standard from other IT vendors, since it just makes sense. There's no need from a user's point-of-view to authorise that each app separately when we know that the user account on the device is trusted.
Julian Davidson commented
We're hitting limits with the *number* of allowed devices and number of allowed *attempts* to register just testing it. - Julian (also from NZ).
There is a partial work-around for this hassle: you can set up trusted IPs (you may need Azure AD Premium for this - I am not sure) here, and at least prevent MFA requests from your company's office network:
Jason Simotas commented
Once I approve a device, why should Microsoft UNapprove it every 60 days. G Suite doesn't have a time limit, nor do any of the other MFA providers that we use. We end up using App passwords where possible since they have no limit. All of this spells LESS security - not more.
Jason Rue commented
Amarendar Puli commented
Totally agree with above idea; MFA can be ruled out for trusted device. Though we have deployed, but very annoying for users. Hope Microsoft comes up with some solution.
Hi Rick S,
Sorry to hear that. :(
Glad we are at least not alone in this. Please encourage as many people as you can to vote for this, so that we can bring it to Microsoft's attention.
Anglican Family Care
Rick S commented
I have not been able to roll out MFA at my organization due to pushback regarding the 60 day limit which devices are rememberd for - this is just an unnecessary hurdle for our users in my opinion, and I completely agree with the OP's discussion above in that it does not add security for trusted devices. It has severely crippled our security because my hands are tied, and I'm not able to roll MFA out to our users.
Sorry to say, we don't have a reponse from Microsoft for this request, and no solution yet. :(
How frustrating. I found out we can get InTune and Azure Premium (?) for free as a non-profit (up to 50 licenses), so we are also pursuing this to try and solve it.
Yes, that is annoying that it doesn't automatically allow you to use Authenticator on the device where that's installed.
Hopefully we can get enough votes for Microsoft to pay attention to this - please encourage your staff to vote on this topic if possible!
Tony Rogers commented
Hi Anglican Family Care,
Did you get any solutions to these issues? We're also struggling with user acceptance of MFA because of these.
It's also annoying for users who have installed the Authenticator App to have to MFA on the device where they have installed Authenticator.
I think the official solution to this matter is to use InTune to register devices and have it declare devices as "Compliant". However, we are committed to an alternate MDM tool.
The Authenticator app includes an ability for users to register their device with Azure AD, sadly there's logic in Azure AD to make use of this "registration".