Please provide an option to enforce (repeated) MFA for app access, even if SSO token already indicates MFA completed
We have a requirement for an application to always enforce MFA to the user. E.g. user logs in to Windows 10 with Hello for Business, then MFA is already satisfied when evaluating Conditional Access factors. But we need the user to authenticate again because this is a critical application.
Zero Trust approach: ‘never trust, always verify’. Also: minimize time-of-check versus time-of-use. These are sound principles, imho.
E.g. to avoid malicious user to log in to the app when a workstation is left unlocked.
Possible option to decrease MaxAgeMultiFactor to 0 (but this may break other things or annoy user for less critical apps) or another way by providing a way to specifiy a conditional access condition "Always MFA" on the enterprise app settings
Is there any news on that topic ? We have the same need i.e. we need the ability to enforce MFA for "specific" enterprise APP regardless of any persitent session token ...
Jarratt, Nick commented
Per this article from Microsoft on MFA, enabling MFA on the user account, rather than through Conditional Access will require them to perform MFA every time they log in. It's listed as a negative effect, but seems to be your desired result.
push! we also need this for a specific app because of sensitive user data.
If you set up an app with "always MFA" and afterwards the sign in details said "MFA requirement satisfied by claim in the token".. can't be the answer..
Adding on to this: We need the ability to enforce MFA for "specific" apps containing sensitive data (financial, personal, etc.) on every visit, regardless of any persistent session cookies/KMSI options.
While we tested the new preview options in Conditional Access (Sign-in frequency (Preview), Persistent browser session (Preview), they do not allow override for specific apps. In fact the persistent browser session feature only works if "all cloud apps" are selected, which is not really useful.