Allow Privileged Identity MFA on time intervals
If a user activates a PIM role with a valid Azure AD claim, they are prompted for MFA authentication only once - at the first login. As long as the claim remains valid, it allows the user to skip MFA for PIM.
We should be able to set a timeout that requires a user to re-authenticate after a certain amount of time. For example, if I PIM to an Owner role against Azure resources, I should be prompted for MFA if a week has passed since my last time doing so.
This allows us to ensure stringent security on sensitive roles, and require the MFA to confirm the user's MFA token method is still secure and available to them. Without this, if a user's device is compromised, there's still the option to PIM to roles until the password is reset or the claim is otherwise made invalid.