Multi-Factor Authentication (MFA) prompts should be expected when you first log into a service or app that requires your SSO login. However, how often you are asked to verify with MFA will vary depending on what service you are using and whether you are using a browser or an app.
Browser based sessions will timeout, depending on which service you are accessing:
- Azure login-based services, which include Outlook, Outlook Web Access (OWA), Teams, OneDrive, Office Online, Teams Web Client, should persist for 24 Hours. This means you should only be asked to verify with MFA once a day as long as your session isn’t ended by logouts.
- If you close your browser, you will be asked to verify again with MFA.
- If you login in a browser for one service, you shouldn't need to verify with MFA for other services in the same browser (including on other tabs) until the session expires or the browser is closed.
- Using private browser modes like Incognito or InPrivate will prompt for MFA even if the parent browser session has already performed MFA.
- If you use several different browsers, such as Chrome, Firefox, or Edge, you will be prompted to authenticate after timeout for each browser session.
- In addition to the above some services may require you to refresh your login more frequently and these rules are imposed by the individual services. For example, Outlook Web Access (OWA) logs you out after 8 hours of inactivity.
- Application logouts ending your Azure SSO session will cause a MFA prompt when logging into MFA backed applications even if it has been less than 24 hours in the same browser session.
Applications, unlike browsers, have a 90 day rolling token. This means that you should not be asked to verify with MFA if you use an app more frequently than every 90 days. Any changes that cause you to login again, such as a password change, will trigger MFA verification.
Examples of such applications are:
- Outlook (Windows, Android, Mac/iOS)
- Mac Mail
- Office applications
- Teams on Windows
- OneDrive client for Windows