Hi All,


I'm planning on implementing Azure AD MFA with a conditional access policy.
I have gone through all the steps and have a good understanding on the process. However I have bit of a grey area where I like to get your thoughts on.
I have my Conditional Access Policy's Sign-in frequency setup to 2 hours for the test purposes

I have my user who is working as normal.

I send the user to register for MFA via the URL and its successful.
Added the user to the pilot group where I have assigned the Conditional Access Policy to.

My question is - Will the user get the very 1st (initial) sign-in prompt 2 hours after they signed up for MFA?

Also I would like to clarify on how the timing works on an unmanaged device and an Azure AD registered device.




best response confirmed by shehanjp (Contributor)



So, the following is from the Session Controls within a CA policy - "Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer".
So I would think that you can work on the principle that after 2 hours of inactivity, they will be prompted for sign in, and at this point, they will be challenged to register for MFA.