Description:
Disabling the setting 'Allow users to remember multi-factor authentication (MFA) on devices they trust' ensures that users are prompted for MFA each time they sign in, regardless of whether they have previously selected to remember the MFA on a trusted device. This improves security by preventing unauthorized access from a device that has been compromised or is being used by someone other than the authorized user.
Rationale:
While the 'remember MFA on trusted devices' feature can enhance user convenience by reducing the frequency of MFA challenges, it also increases the risk of unauthorized access if the user's device is lost, stolen, or used by an unauthorized person. Disabling this setting ensures that MFA is required at every login, reducing the risk of long-term exposure from a potentially compromised device.
Impact:
Disabling the "Remember MFA" feature will lead to users being prompted for MFA every time they sign in, which may slightly increase the number of MFA challenges but will significantly improve security by ensuring continuous protection. Users may find the process more tedious, but it ensures higher security standards, particularly for highly sensitive environments.
Default Value:
By default, the 'Allow users to remember MFA on devices they trust' setting is enabled in Azure Active Directory (Azure AD), but it can be manually disabled.
Pre-requisites:
Azure Active Directory (Azure AD) subscription.
Global Administrator or Conditional Access Administrator role permissions.
Multi-Factor Authentication (MFA) should be enabled for users.
Audit:
Sign in to the Azure portal as a Global Administrator or Conditional Access Administrator.
Navigate to Azure Active Directory > Security > Multi-Factor Authentication > Service Settings.
Verify that the setting 'Allow users to remember MFA on devices they trust' is disabled.
Implementation Steps (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Conditional Access Administrator privileges.
Navigate to Multi-Factor Authentication Settings:
In the Azure portal, go to Azure Active Directory > Security > Multi-Factor Authentication.
Under Multi-Factor Authentication, click on Service Settings.
Disable 'Remember MFA on Trusted Devices':
In the Service Settings page, scroll down to the section titled 'Allow users to remember multi-factor authentication on devices they trust'.
Uncheck the box next to 'Allow users to remember multi-factor authentication on devices they trust'.
This will disable the option for users to bypass MFA challenges on trusted devices.
Save the Configuration:
After unchecking the box, click Save to apply the changes.
Verify the Setting:
After disabling this feature, ensure that users are no longer able to bypass MFA challenges when signing in on trusted devices.
Test by attempting to sign in with a user account that has MFA enabled and checking that MFA is required even if the device was previously marked as trusted.
Monitor and Communicate with Users:
Notify users that MFA will be required at every login and explain the reason for this enhanced security measure.
Provide support for users who may encounter issues with the additional MFA prompts.
Backout Plan (Manual):
Sign in to Azure portal:
Use an account with Global Administrator or Conditional Access Administrator privileges.
Navigate to Multi-Factor Authentication Settings:
Go to Azure Active Directory > Security > Multi-Factor Authentication.
Under Multi-Factor Authentication, select Service Settings.
Re-enable 'Remember MFA on Trusted Devices':
In the Service Settings page, locate the section 'Allow users to remember multi-factor authentication on devices they trust'.
Check the box next to 'Allow users to remember multi-factor authentication on devices they trust' to re-enable this feature.
Save the Configuration:
Click Save to revert the setting.
Test User Access:
After re-enabling this setting, test by logging in with a user account that has MFA enabled, ensuring that the user can choose to remember the MFA on trusted devices and bypass subsequent MFA challenges.