Skip to content

Revise MFA recommendation for known devices #1907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ChristianCB83 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Revise MFA recommendation for known devices #1907

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion docs/identity/monitoring-health/recommendation-mfa-from-known-devices.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,12 @@ ms.custom: sfi-image-nochange

[Microsoft Entra recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to minimize multifactor authentication prompts from known devices. This recommendation is called `tenantMFA` in the recommendations API in Microsoft Graph.
This article covers the recommendation to minimize multifactor authentication prompts from known devices. This recommendation is called `tenantMFA` in the recommendations API in Microsoft Graph.

> [!NOTE]
> The Remember multifactor authentication on trusted device setting is no longer the recommended approach for reducing MFA prompts.
Copy link
Copy Markdown
Contributor

@kvenkit kvenkit Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ChristianCB83 is this documented

For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.
Comment on lines +19 to +20
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The NOTE block content should be properly formatted according to Microsoft Learn documentation conventions. Lines 18-20 should all be within the NOTE block. Currently, only line 18 is inside the block quote marker, but lines 19-20 appear to be continuation text that should also be part of the note.

The proper formatting should have all related content indented with '> ' at the start of each line within the NOTE block.

Suggested change
For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.
> For an optimal user experience and stronger security posture, Microsoft recommends using Conditional Access Sign-in frequency to control how often users are prompted for MFA on trusted devices, trusted locations, or risk sessions.
> If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access–based session management instead.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hyphen in "Conditional Access–based" uses an en-dash (–) instead of a standard hyphen (-). According to the Microsoft Writing Style Guide, compound modifiers should use a standard hyphen. Change to "Conditional Access-based" with a regular hyphen for consistency.

Suggested change
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Accessbased session management instead.
If you continue to use Remember MFA on a trusted device, ensure the duration is configured to 90 days or more. However, new and updated deployments should prefer Conditional Access-based session management instead.

Copilot uses AI. Check for mistakes.
Comment on lines +17 to +20
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the custom coding guidelines (CodingGuidelineID: 1000000), all Markdown content created or substantially modified with AI assistance must include an ai-usage front matter entry. This content update adds significant new guidance (lines 17-20) that appears to be substantive enough to warrant adding ai-usage metadata. Please add either ai-usage: ai-generated or ai-usage: ai-assisted to the front matter section based on the level of AI involvement in creating this content.

Copilot generated this review using guidance from repository custom instructions.

## Description

Expand Down