MFA: how often should I get prompted?

This page explains how often you should expect to get prompted to do MFA on your Oxford Single Sign-On (SSO) account and goes into more detail about conditional access policies.

When do I get prompted for MFA?

MFA prompts should be expected at the start of each session. Over time, with repeated use of the same devices from the same locations, these prompts may decrease in frequency. Some systems may prompt for MFA more often than others, and unusual account activity may also increase the frequency of MFA prompts. Simply changing or staying on the same IP address is not enough to either trigger or suppress MFA prompts on their own.

MFA prompts should be expected when you first log into a service or app that requires your SSO login. However, how often you are asked to verify with MFA will vary depending on what service you are using and whether you are using a browser or an app.

Browsers

Browser based sessions will timeout, depending on which service you are accessing:

  • Azure login based services, which include Outlook, Outlook Web Access (OWA), Teams, OneDrive, Office, SharePoint Online, Dynamics365, Teams Web Client, should persist for seven days, which means you should only be asked to verify with MFA every seven days
  • Shibboleth protected resources, such as CoSy, TeamSeer or Clarity, should persist for 11 hours, which means you will be asked to verify with MFA every 11 hours

Notes:

  • If you close your browser, you will be asked to verify again with MFA

  • If you login in a browser for one service, you shouldn't need to verify with MFA for other services in the same browser (including on other tabs) until the session expires or the browser is closed 

  • If you use several different browsers, such as Chrome, Firefox or Edge, you will be prompted to authenticate after timeout for each browser session

  • In addition to the above some services may require you to refresh your login more frequently and these rules are imposed by the individual services. For example Outlook Web Access (OWA) logs you out after 8 hours of inactivity

Apps

Applications, unlike browsers, have a 90 day rolling token, which means that you should not be asked to verify with MFA if you use an app more frequently than every 90 days. Any changes that cause you to login again, such as a software update, will trigger MFA verification.

Examples of such applications are:

  • Outlook (Windows, Android, Mac/iOS)
  • Mac Mail
  • Office applications
  • Teams on Windows (NB: not web version)
  • OneDrive client for Windows
  • Flow app for Mobile Devices

Note: Teams on Linux behaves like a browser application and, as such, session times act in line with the browser session of seven days.

This section goes into more detail about frequency of MFA prompts and explains conditional access policies.

What is a conditional access policy?

A conditional access policy is a decision led process which enforces organisational policies. Essentially, if a user wants to access a resource then they must complete an action. For example, a person wants to access Nexus365 services to read their email and is required to enter multi-factor authentication to access it.

The video on this Microsoft page explains "What is Conditional Access?"

Authentication types:

There are two types of authentication methods for Oxford Single Sign-On (SSO) accounts:

  1. Modern Authentication - a modern method used by browsers and more up-to-date versions of applications e.g. Outlook 2016/365. This method is sometimes referred to as “OAuth2”
  2. Legacy or Basic authentication - an older authentication method using username/passwords and in use by older clients and those that aren’t capable of Modern Authentication e.g. Outlook 2013

User Scenarios

The following table explains how long your session will last before you are asked to authenticate again, and the methods available. This depends on what service you are accessing, and whether you are using a modern or legacy client.

In all cases, you may be asked to re-authenticate (with MFA where applicable) in a timeframe shorter than the session lifetimes stated. One example of when this may occur is where the user has changed location or IP address - please note that this is a built-in feature of the Azure platform, and one that Microsoft does not fully divulge the behaviour of (for security reasons).

Overall, sessions will last at least 90 days, except when you are accessing web-based services, including web-based Office365 your session will last up to 7 days and Shibboleth-protected resources such as CoSy, TeamSeer or Clarity, your session will last up to 11 hours.

What are you accessing? Are you using Modern or Basic Authentication? With MFA? How long will my session last?
Office365 on mobile or desktop app, for example Outlook or Teams client, see note 1 Modern Yes or no At least 90 days
Office365 on mobile or desktop app, for example Outlook 2013 and older mail clients Basic (legacy) No At least 90 days
Office365 on mobile or desktop app, for example Outlook 2013 and older mail clients Basic (legacy) Yes see note 2
Browser access to an Office 365 service (eg Outlook Web Access (OWA), Teams web client, OneDrive web access, SharePoint Online, Power Automate dashboard, etc) Modern only, see note 3 Yes or no Up to 7 days
Shibboleth protected resources. However if you have both browser based access to Office 365 and Shibboleth resources in the same browser, the shibboleth access token may be renewed for the lifetime of the access token for the Office 365 based service. Modern only,see note 3   Up to 11 hours
Office365 via ActiveSync client Basic (legacy) No At least 90 days
Office365 via ActiveSync client Basic (legacy) Yes See note 4
Office365 via ActiveSync client Basic (legacy) Yes or no At least 90 days,
see note 5

 

Note 1: Teams on Linux is recognised as a web browser by Microsoft and therefore behaves as per web browser based session lengths.

Note 2: Access for legacy clients, such as IMAP clients, via basic authentication is not permitted for users with MFA enabled via the Conditional Access Policies. In many modern mail clients, it may be possible to re-configure to use Modern Authentication. Otherwise, an app password is required.

Note 3: All browser-based access for SSO protected resources uses Modern Authentication in browser. Browser based access to services that do not fall under the Office 365 or Shibboleth banners, the session time will also be up to 7 days. 

Note 4: Access for ActiveSync clients using basic authentication is not permitted for users with MFA enabled via the Conditional Access Policies. An app password is required.

Note 5: Access for ActiveSync clients that can use Modern authentication is permitted, but these clients may not be widely available.

Get support


Local IT support provide your first line of on-the-spot help

FIND MY LOCAL IT TEAM

 

Common requests and fault reports can be logged using self-service

   USE IT SELF-SERVICE      

   LOG A SUPPORT CALL     

VIEW MY SUPPORT CALLS  

 

The central Service Desk is available 24x7 on +44 1865 6 12345

 

If you do not have an SSO account you can use this form to contact the Service Desk