Skip to content

Revise MFA recommendation for known devices#1907

Open
ChristianCB83 wants to merge 1 commit intoMicrosoftDocs:mainfrom
ChristianCB83:patch-11
Open

Revise MFA recommendation for known devices#1907
ChristianCB83 wants to merge 1 commit intoMicrosoftDocs:mainfrom
ChristianCB83:patch-11

Conversation

@ChristianCB83
Copy link
Copy Markdown
Contributor

@ChristianCB83 ChristianCB83 commented Feb 27, 2026

Updated the recommendation for minimizing MFA prompts from known devices, emphasizing Conditional Access Sign-in frequency over the previous method.

@ChristianCB83
Revise MFA recommendation for known devices
1563e36 
Updated the recommendation for minimizing MFA prompts from known devices, emphasizing Conditional Access Sign-in frequency over the previous method.
@prmerger-automator
Copy link
Copy Markdown
Contributor

prmerger-automator bot commented Feb 27, 2026

@ChristianCB83 : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

@learn-build-service-prod
Copy link
Copy Markdown
Contributor

learn-build-service-prod bot commented Feb 27, 2026

Learn Build status updates of commit 1563e36:

✅ Validation status: passed

File Status Preview URL Details
docs/identity/monitoring-health/recommendation-mfa-from-known-devices.md ✅Succeeded

For more details, please refer to the build report.

@ttorble ttorble requested a review from Copilot February 27, 2026 15:49
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates guidance for minimizing MFA prompts from known devices, shifting the recommendation away from the legacy "Remember MFA on trusted devices" setting to the newer Conditional Access Sign-in frequency approach. The update emphasizes that Microsoft no longer recommends the Remember MFA feature and provides transitional guidance for existing deployments.

Changes:

  • Added a NOTE block indicating that Remember MFA on trusted devices is deprecated as the recommended approach
  • Introduced new guidance recommending Conditional Access Sign-in frequency for controlling MFA prompts
  • Provided transitional guidance for organizations still using the legacy Remember MFA feature

docs/identity/monitoring-health/recommendation-mfa-from-known-devices.md
Comment on lines +19 to +20
For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The NOTE block content should be properly formatted according to Microsoft Learn documentation conventions. Lines 18-20 should all be within the NOTE block. Currently, only line 18 is inside the block quote marker, but lines 19-20 appear to be continuation text that should also be part of the note.

The proper formatting should have all related content indented with '> ' at the start of each line within the NOTE block.

Suggested change
For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.
> For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
> If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.

Copilot uses AI. Check for mistakes.
docs/identity/monitoring-health/recommendation-mfa-from-known-devices.md
> [!NOTE]
> The Remember multifactor authentication on trusted device setting is no longer the recommended approach for reducing MFA prompts.
For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hyphen in "Conditional Access–based" uses an en-dash (–) instead of a standard hyphen (-). According to the Microsoft Writing Style Guide, compound modifiers should use a standard hyphen. Change to "Conditional Access-based" with a regular hyphen for consistency.

Suggested change
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Accessbased session management instead.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access-based session management instead.

Copilot uses AI. Check for mistakes.
docs/identity/monitoring-health/recommendation-mfa-from-known-devices.md
Comment on lines +17 to +20
> [!NOTE]
> The Remember multifactor authentication on trusted device setting is no longer the recommended approach for reducing MFA prompts.
For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the custom coding guidelines (CodingGuidelineID: 1000000), all Markdown content created or substantially modified with AI assistance must include an ai-usage front matter entry. This content update adds significant new guidance (lines 17-20) that appears to be substantive enough to warrant adding ai-usage metadata. Please add either ai-usage: ai-generated or ai-usage: ai-assisted to the front matter section based on the level of AI involvement in creating this content.

Copilot generated this review using guidance from repository custom instructions.
@ttorble
Copy link
Copy Markdown
Contributor

ttorble commented Feb 27, 2026

@shlipsey3

Can you review the proposed changes?

IMPORTANT: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

kvenkit
kvenkit reviewed Mar 3, 2026
View reviewed changes
docs/identity/monitoring-health/recommendation-mfa-from-known-devices.md
This article covers the recommendation to minimize multifactor authentication prompts from known devices. This recommendation is called `tenantMFA` in the recommendations API in Microsoft Graph.

> [!NOTE]
> The Remember multifactor authentication on trusted device setting is no longer the recommended approach for reducing MFA prompts.
Copy link
Copy Markdown
Contributor

@kvenkit kvenkit Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ChristianCB83 is this documented

@ChristianCB83
Copy link
Copy Markdown
Contributor Author

ChristianCB83 commented Mar 3, 2026
edited
Loading

@kvenkit , not documented as far as I know, but this is explicitly noted on the UI:

image

I believe it still worth mentioning that "For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shlipsey3 shlipsey3 Awaiting requested review from shlipsey3

@dsouzajade dsouzajade Awaiting requested review from dsouzajade

+1 more reviewer

@kvenkit kvenkit kvenkit left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@shlipsey3 shlipsey3

Labels

aq-pr-triaged Change sent to author do-not-merge entra-id/svc monitoring-health/subsvc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ChristianCB83 @ttorble @kvenkit @shlipsey3