Inconsistent MFA Prompts Despite Conditional Access Policy

Question

Inconsistent MFA Prompts Despite Conditional Access Policy

Eric Goh Kheng Poo 40

I’m setting up the MFA prompt daily through Conditional Access. In Conditional Access, I added a grant policy requiring authentication strength and set the session sign-in frequency to 1 day, applying it to everyone. However, the next morning, not everyone receives the MFA prompt. Some users do, while others don’t. I’ve confirmed that the policy applies to everyone, but I noticed users log in at different times. Could it be because 24 hours haven’t passed yet for some users?

[Moved from Microsoft 365 and Office | Microsoft 365 Defender | Other | Other]

Sridevi Machavarapu 9,465 Reputation points Microsoft External Staff Moderator

2025-12-15T02:16:39.7133333+00:00
Hey Eric Goh Kheng Poo! It sounds like you're experiencing inconsistent MFA prompts for your users, even though you've set up a Conditional Access policy that applies to everyone. Here’s what you can consider to troubleshoot this issue further:

Session Duration: The session sign-in frequency you set to 1 day means that each user needs to reauthenticate every 24 hours, but if they log in at different times, some may authenticate before the full 24-hour period has passed. So, yes, this might explain why not all users are prompted for MFA daily.

Review Sign-In Logs: To determine why certain users do not receive MFA prompts as expected, you should check the sign-in logs:

Navigate to the Microsoft Entra sign-in logs.

Filter for the specific users who are not receiving the prompts.

Verify the Status and Authentication Requirement fields to see if the sign-in was successful and if the MFA was indeed triggered or skipped.

Policies Overlap: There may be other factors or policies at play:

Check if Security Defaults or any Microsoft Managed Conditional Access policies are overriding your settings.

Confirm if users are also affected by Per-user MFA settings or any Identity Protection alerts that could force MFA prompts based on risk.

Investigate User Activity: Consider checking if the users who are not receiving MFA prompts might be logging in from previously trusted devices or locations, which could affect MFA applicability.

Troubleshoot and Test Policies: You can make use of the What-If Tool in the Conditional Access menu to simulate how policies are applied to these users.

Hope this helps! If the issue persists, here are some follow-up questions that might clarify things further:

Are the users consistently logging in from the same locations or devices, leading to a reduced need for MFA?

Have you checked for any conflicting Conditional Access policies that might affect MFA requirements?

Are all users registered with the same authentication methods for MFA?

Let me know if you need more assistance!

Reference Links:

What If Tool for Conditional Access

Conditional Access policies to enforce MFA

Security Defaults

Per-user MFA

Note: This content was drafted with the help of an AI system.
Eric Goh Kheng Poo 40 Reputation points

2025-12-15T02:45:05.3266667+00:00

Hi Sridevi,

Thank you for the detailed explanation and suggestions. I appreciate your support.

Please see my responses to each point below:

Session sign-in frequency (1 day): I understand the 24-hour behavior and the impact of different user sign-in times.

Entra ID sign-in logs: Reviewed for affected users; MFA requirements and authentication results have already been verified.

Overlapping or managed Conditional Access policies: Checked and confirmed there are no conflicting policies, including Security Defaults or Microsoft-managed policies. The policy is applied to all users.

Per-user MFA and Identity Protection: Confirmed MFA is enforced and no Identity Protection conditions are influencing the behavior.

Trusted devices or locations: Verified — users are accessing consistently from the same location and devices.

What-If tool: Tested, and results confirm the Conditional Access policy should be enforced as expected.

At this stage, all standard checks indicate the policy is correctly applied, yet the MFA prompt behavior remains inconsistent. This suggests there may be underlying backend conditions, token/session behavior, or known limitations related to authentication strength and sign-in frequency.

Microsoft has also advised revoking users’ sign-in sessions/tokens as part of further troubleshooting. Please advise whether this should be the next recommended step, or if escalation and deeper investigation from the Microsoft backend team is required.

Thank you again for your assistance.

Best regards,

Eric Goh
Sridevi Machavarapu 9,465 Reputation points Microsoft External Staff Moderator

2025-12-15T03:40:11.6666667+00:00

Hello Eric Goh Kheng Poo!

Thanks for confirming all the checks. Based on what you’ve shared, this doesn’t point to a policy issue.

This behavior is usually related to how Entra ID handles sessions and tokens. The 1-day sign-in frequency doesn’t force MFA at a fixed daily time. It depends on when each user’s last token was issued. If a user still has a valid session or refresh token, MFA can be skipped until that session is invalidated. That’s why users who sign in at different times see different results, even with the same policy.

At this stage, revoking sign-in sessions is the right next step and is commonly recommended by Microsoft. After you revoke sessions and the user signs in again, the policy is re-evaluated and MFA should be prompted.

Please do let me know if you have any further questions.

Hope this helps!
Eric Goh Kheng Poo 40 Reputation points

2025-12-15T03:49:12.92+00:00

if there is any recommended approach, such as revoking user sessions or another method, to achieve a consistent daily MFA prompt for all users at a fixed time?

Answer accepted by question author

0 additional answers

Your answer

Eric Goh Kheng Poo 40 Reputation points

2025-12-15T02:45:05.3266667+00:00

Hi Sridevi,

Thank you for the detailed explanation and suggestions. I appreciate your support.

Please see my responses to each point below:

Session sign-in frequency (1 day): I understand the 24-hour behavior and the impact of different user sign-in times.

Entra ID sign-in logs: Reviewed for affected users; MFA requirements and authentication results have already been verified.

Overlapping or managed Conditional Access policies: Checked and confirmed there are no conflicting policies, including Security Defaults or Microsoft-managed policies. The policy is applied to all users.

Per-user MFA and Identity Protection: Confirmed MFA is enforced and no Identity Protection conditions are influencing the behavior.

Trusted devices or locations: Verified — users are accessing consistently from the same location and devices.

What-If tool: Tested, and results confirm the Conditional Access policy should be enforced as expected.

At this stage, all standard checks indicate the policy is correctly applied, yet the MFA prompt behavior remains inconsistent. This suggests there may be underlying backend conditions, token/session behavior, or known limitations related to authentication strength and sign-in frequency.

Microsoft has also advised revoking users’ sign-in sessions/tokens as part of further troubleshooting. Please advise whether this should be the next recommended step, or if escalation and deeper investigation from the Microsoft backend team is required.

Thank you again for your assistance.

Best regards,

Eric Goh
Sridevi Machavarapu 9,465 Reputation points Microsoft External Staff Moderator

2025-12-15T03:40:11.6666667+00:00

Hello Eric Goh Kheng Poo!

Thanks for confirming all the checks. Based on what you’ve shared, this doesn’t point to a policy issue.

This behavior is usually related to how Entra ID handles sessions and tokens. The 1-day sign-in frequency doesn’t force MFA at a fixed daily time. It depends on when each user’s last token was issued. If a user still has a valid session or refresh token, MFA can be skipped until that session is invalidated. That’s why users who sign in at different times see different results, even with the same policy.

At this stage, revoking sign-in sessions is the right next step and is commonly recommended by Microsoft. After you revoke sessions and the user signs in again, the policy is re-evaluated and MFA should be prompted.

Please do let me know if you have any further questions.

Hope this helps!
Eric Goh Kheng Poo 40 Reputation points

2025-12-15T03:49:12.92+00:00

if there is any recommended approach, such as revoking user sessions or another method, to achieve a consistent daily MFA prompt for all users at a fixed time?

Answer 1

Sridevi Machavarapu 9,465 Microsoft External Staff Moderator

Hi Eric Goh Kheng Poo!

To answer this clearly, there isn’t a recommended or supported way in Entra ID to trigger MFA for all users at the same fixed time each day.

Conditional Access doesn’t work on a clock. The sign-in frequency setting is based on session and token lifetime, meaning MFA is required 24 hours after a user’s last successful sign-in. Since users authenticate at different times, MFA prompts will always be staggered.

Revoking user sessions is the only way to force MFA for everyone at once, but this is intended as a one-time reset or troubleshooting step, not something to run daily. There isn’t another policy, automation, or backend option that can schedule MFA prompts at a fixed daily time.

So, what you’re seeing is expected behavior rather than an issue with your setup.

Eric Goh Kheng Poo 40 Reputation points

2025-12-15T04:28:18.8933333+00:00

The answer seems quite obvious. there isn’t an alternative way to prompt on time. Thank you for your response.
Sridevi Machavarapu 9,465 Reputation points Microsoft External Staff Moderator

2025-12-15T04:39:14.2566667+00:00

Hello Eric Goh Kheng Poo!

Please do let me know if you have further queries on this. If not, please click on Accept answer to close this question.

Share via

Inconsistent MFA Prompts Despite Conditional Access Policy

Reference Links:

0 additional answers

Your answer