Configure Microsoft Entra multifactor authentication settings

This article helps you to manage Azure Multi-Factor Authentication now that you're up and running. It covers various topics that help you to get the most out of Azure Multi-Factor Authentication. Not all of the features are available in every version of Azure Multi-Factor Authentication.

Feature Description
Selectable verification methods Use this feature to select the list of authentication methods that users are able to use.

Selectable verification methods

You can choose the verification methods that are available for your users by using the selectable verification methods feature. The following table provides a brief overview of the methods.

When your users enroll their accounts for Azure Multi-Factor Authentication, they choose their preferred verification method from the options that you have enabled. Guidance for the user enrollment process is provided in Set up my account for two-step verification.

Method Description
Call to phone Places an automated voice call. The user answers the call and presses # on the phone to authenticate. The phone number isn't synchronized to on-premises Active Directory.
Text message to phone Sends a text message that contains a verification code. The user is prompted to enter the verification code into the sign-in interface. This process is called one-way SMS. Two-way SMS means that the user must text back a particular code. Two-way SMS is deprecated and not supported after November 14, 2018. Administrators should enable another method for users who previously used two-way SMS.
Notification through mobile app Sends a push notification to the user's phone or registered device. The user views the notification and selects Verify to complete verification. The Microsoft Authenticator app is available for Windows Phone and iOS.
Verification code from mobile app or hardware token The Microsoft Authenticator app generates a new OATH verification code every 30 seconds. The user enters the verification code into the sign-in interface. The Microsoft Authenticator app is available for Windows Phone and iOS.

Enable and disable verification methods

  1. Sign in to the Azure portal.

  2. On the left, select Microsoft Entra ID > Users > All users.

  3. Select Per-user MFA.

  4. Under Multi-Factor Authentication, select service settings.

  5. On the Service Settings page, under verification options, select/unselect the methods to provide to your users.

    Select the verification methods

  6. Click Save.

Remember multifactor authentication

The Remember multifactor authentication feature lets users bypass subsequent verifications for a specified number of days, after they've successfully signed in to a device by using MFA. To enhance usability and minimize the number of times a user has to perform MFA on a given device, select a duration of 90 days or less.

Important

If an account or device is compromised, remembering MFA for trusted devices can affect security. If a corporate account becomes compromised or a trusted device is lost or stolen, you should Revoke sessions.

The revoke action revokes the trusted status from all devices, and the user is required to perform multifactor authentication again. You can also instruct your users to restore the original MFA status on their own devices as noted in Manage your settings for multifactor authentication.

How the feature works

The remember multifactor authentication feature sets a persistent cookie on the browser when a user selects the Don't ask again for X days option at sign-in. The user isn't prompted again for MFA from that browser until the cookie expires. If the user opens a different browser on the same device or clears the cookies, they're prompted again to verify.

The Don't ask again for X days option isn't shown on non-browser applications, regardless of whether the app supports modern authentication. These apps use refresh tokens that provide new access tokens every hour. When a refresh token is validated, Microsoft Entra ID checks that the last multifactor authentication occurred within the specified number of days.

The feature reduces the number of authentications on web apps, which normally prompt every time. The feature can increase the number of authentications for modern authentication clients that normally prompt every 180 days, if a lower duration is configured. It might also increase the number of authentications when combined with Conditional Access policies.

Important

The remember multifactor authentication feature isn't compatible with the keep me signed in feature of AD FS, when users perform multifactor authentication for AD FS through MFA Server or a third-party multifactor authentication solution.

If your users select keep me signed in on AD FS and also mark their device as trusted for MFA, the user isn't automatically verified after the remember multifactor authentication number of days expires. Microsoft Entra ID requests a fresh multifactor authentication, but AD FS returns a token with the original MFA claim and date, rather than performing multifactor authentication again. This reaction sets off a verification loop between Microsoft Entra ID and AD FS.

The remember multifactor authentication feature isn't compatible with B2B users and won't be visible for B2B users when they sign in to the invited tenants.

The remember multifactor authentication feature isn't compatible with the Sign-in frequency Conditional Access control. For more information, see Configure authentication session management with Conditional Access.

Enable remember multifactor authentication

To enable and configure the option to allow users to remember their MFA status and bypass prompts, complete the following steps:

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
  2. Browse to Entra ID > Users.
  3. Select Per-user MFA.
  4. Under Multifactor authentication at the top of the page, select service settings.
  5. On the service settings page, under Remember multifactor authentication on trusted device, select Allow users to remember multifactor authentication on devices they trust.
  6. Set the number of days to allow trusted devices to bypass multifactor authentications. For the optimal user experience, extend the duration to 90 or more days.
  7. Select Save.

Mark a device as trusted

After you enable the remember multifactor authentication feature, users can mark a device as trusted when they sign in by selecting Don't ask again.