Conditional-Access on Eriteach | Microsoft Cloud Techhttps://blog.eriteach.com/en/tags/conditional-access/Recent content in Conditional-Access on Eriteach | Microsoft Cloud TechHugo -- 0.155.1en2024-2026 Robel Mehari. All rights reserved.Sat, 20 Jun 2026 23:23:39 +0200Stop Treating Remembered MFA Devices as a Security Strategyhttps://blog.eriteach.com/en/posts/entra-mfa-remember-devices-session-controls/Sat, 20 Jun 2026 00:00:00 +0000https://blog.eriteach.com/en/posts/entra-mfa-remember-devices-session-controls/Review remembered MFA devices in Microsoft Entra ID and move toward Conditional Access session controls for safer sign-in behavior.The Problem

A small setting can quietly weaken a good MFA design.

In Microsoft Entra ID, many tenants still have users who can remember multifactor authentication on a trusted device. The idea is understandable: fewer prompts, less friction, fewer helpdesk tickets.

But from an admin point of view, this is not really a device trust model. It is a session convenience feature. If the device is shared, unmanaged, stolen, or used from a risky context, the remembered MFA state can reduce the value of the next sign-in challenge.

The LinkedIn link I checked pointed to an article about disabling remembered MFA on trusted devices. The topic is worth writing about, but the stronger engineering lesson is this:

MFA prompt reduction should be controlled through Conditional Access session policy, not through old tenant-wide convenience habits.

Environment

This applies to Microsoft Entra ID tenants that use MFA and Conditional Access.

Typical environments affected by this are:

  • hybrid or cloud-only Microsoft 365 tenants;
  • schools, municipalities, and distributed organizations;
  • users moving between managed and unmanaged devices;
  • admins trying to balance security with prompt fatigue.

What I Checked

The first thing I would check is whether the tenant still allows users to remember MFA on devices.

In Microsoft Entra admin center, review:

  1. Protection > Multifactor authentication > Additional cloud-based multifactor authentication settings.
  2. The setting for remembering multifactor authentication on trusted devices.
  3. Conditional Access policies that already control sign-in frequency or persistent browser sessions.
  4. Sign-in logs for repeated prompts, risky sign-ins, and unmanaged device usage.

The important part is to avoid changing a user-facing authentication setting without first understanding where prompt reduction is already handled.

The Decision

I would not treat remembered MFA devices as the main way to reduce prompts.

A better model is:

  • use Conditional Access to decide when sessions should persist;
  • use sign-in frequency to decide when users must reauthenticate;
  • use device compliance or hybrid join where device trust matters;
  • use risk signals where available;
  • keep emergency access accounts outside normal user policies.

This gives the admin more control than a broad remembered-device setting.

The Fix

A safe rollout would look like this:

  1. Review the current MFA remember-device setting.
  2. Identify affected users or groups.
  3. Review existing Conditional Access session controls.
  4. Create or adjust a Conditional Access policy for session lifetime.
  5. Pilot with a small group.
  6. Monitor sign-in logs and helpdesk feedback.
  7. Disable remembered MFA on trusted devices if the Conditional Access policy covers the needed user experience.

In Conditional Access, the two relevant controls are usually:

  • Sign-in frequency — how often the user must perform an interactive sign-in again.
  • Persistent browser session — whether the browser session can remain persistent after closing and reopening the browser.

What Changed

The benefit is not that users get more prompts.

The benefit is that prompts become policy-driven.

Instead of relying on a remembered MFA checkbox, admins can say:

  • managed devices can have a smoother experience;
  • unmanaged devices can be challenged more often;
  • risky sessions can be interrupted;
  • sensitive apps can have stricter session behavior;
  • changes can be scoped, piloted, and rolled back.

That is easier to explain and easier to audit.

What to Watch Out For

Do not disable remembered MFA globally without checking user impact.

Watch for:

  • increased MFA prompts after the change;
  • shared-device scenarios;
  • browser session behavior in Edge, Chrome, and mobile apps;
  • break-glass account exclusions;
  • service accounts or legacy authentication dependencies;
  • conflicts between multiple Conditional Access policies.

Also remember that this is not a replacement for device compliance. If the security decision depends on whether the device is managed, use device state in Conditional Access.

Final Thought

Remembered MFA devices are convenient, but convenience should not become the security model.

For most modern tenants, Conditional Access session controls are the cleaner place to manage this trade-off.

]]>