| title | Recommendation to minimize MFA prompts from known devices |
|---|---|
| description | Learn about the recommendation to minimize multifactor authentication prompts from known devices in Microsoft Entra ID. |
| ms.topic | how-to |
| ms.date | 06/12/2025 |
| ms.reviewer | jadedsouza |
| ms.custom | sfi-image-nochange |
Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.
This article covers the recommendation to minimize multifactor authentication prompts from known devices. This recommendation is called tenantMFA in the recommendations API in Microsoft Graph.
Note
The Remember multifactor authentication on trusted device setting is no longer the recommended approach for reducing MFA prompts. For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions. If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.
As an admin, you want to maintain security for your company’s resources, but you also want your employees to easily access resources as needed. While enabling MFA is a good practice, you should try to keep the number of MFA prompts your users have to go through at a minimum. One option you have to accomplish this goal is to allow users to remember multifactor authentication on trusted devices.
The remember multifactor authentication on trusted device feature sets a persistent cookie on the browser when a user selects the Don't ask again for X days option at sign-in. The user isn't prompted again for MFA from that browser until the cookie expires. If the user opens a different browser on the same device or clears the cookies, they're prompted again to verify.
For more information, see Configure Microsoft Entra multifactor authentication settings.
This recommendation shows up if the remember multifactor authentication feature is set to less than 30 days.
This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. Ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.
-
Review the How to configure Microsoft Entra multifactor authentication settings article.
-
Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
-
Browse to Entra ID > Multifactor authentication.
-
Under the Configure heading, select the Additional cloud-based multifactor authentication settings link.
-
Select the Service settings tab.
-
Under the Remember multifactor authentication on trusted device heading, select the checkbox, and set the number of days to 90.
