⚠️ WARNING: This article is intended for participants in the
MFA Modernization Pilot only. If you are not a pilot participant, the information in this article may not apply to you. Contact the
IT Service Desk if you have questions about your current sign-in experience.
This article explains how often you will be asked to complete multi-factor authentication (MFA) and why the experience differs depending on the device you are using.
Detailed Information
How often will I be prompted for MFA?
How often you see an MFA prompt depends on the device you are using:
UMS-managed Windows computer
- MFA prompt frequency: Approximately once every 30 days when using Windows Hello for Business (WHfB).
- Day-to-day experience: Your computer has a security chip that stores your credentials securely. When you sign in to your computer, your session is automatically maintained across browser restarts and reboots. You should rarely see an MFA prompt during normal daily use. Closing your browser does not require you to re-authenticate.
UMS-managed Mac
- MFA prompt frequency (web browser): Up to once every 24 hours, or whenever you close and reopen your browser.
- MFA prompt frequency (apps such as Office or OneDrive): Approximately once every 30 days.
- Day-to-day experience: Even though your Mac is managed by UMS, it is not joined to Entra, so your browser sessions follow the same sign-in rules as a personal device. Each time you close your browser and reopen it, you will need to sign in again with MFA. Apps you have installed maintain their sessions longer — you will only be prompted for MFA in those every 30 days.
Personal device — web browser
- MFA prompt frequency: Up to once every 24 hours, or whenever you close and reopen your browser.
- Day-to-day experience: This is the most restrictive setting. Your session does not persist after you close your browser. Each new browser session requires a fresh sign-in with MFA within the 24-hour window.
Personal device — apps (such as Office or OneDrive)
- MFA prompt frequency: Approximately once every 30 days.
- Day-to-day experience: Desktop and mobile apps on personal devices maintain their sessions longer than browsers. You will be prompted for MFA when the 30-day window expires.
A typical day: what this looks like
| Time |
What happens |
Managed Windows |
Managed Mac (browser) |
Personal device (browser) |
| 8:00 AM |
Sign in for the day |
MFA prompt. Session starts. |
MFA prompt. Session starts. |
MFA prompt. Session starts. |
| 9:00 AM |
Access another app |
Seamless — no prompt |
Seamless within same browser session |
Seamless within same browser session |
| 5:00 PM |
Close browser and leave |
Session continues on device |
Session ends |
Session ends |
| Next day 8:00 AM |
Open browser |
Seamless — session resumes automatically |
MFA prompt required (no saved session) |
MFA prompt required (no saved session) |
| Day 30, 8:00 AM |
30-day limit reached |
MFA prompt (may happen silently in the background) |
N/A — session already resets daily |
N/A — session already resets daily |
On a managed Windows computer, the 30-day re-authentication often happens in the background. You may not even see a prompt. When you are prompted for MFA, it means something meaningful has changed — treat it as a real security event.
Why does it work this way?
The goal is to minimize unnecessary MFA prompts while keeping sessions secure. UMS-managed Windows computers have a hardware security chip that stores your credentials and maintains your session even when you close your browser. Mac computers, while managed by UMS, are not joined to Entra in a way that allows the same session protections — so browser sessions on a Mac reset the same way they do on a personal device. Apps installed on your Mac are not affected and still maintain their sessions for 30 days.
Environment
- Microsoft Entra (formerly Azure Active Directory)
- UMS-managed Windows computers
- UMS-managed Mac computers (JAMF-managed)
- Personal and unmanaged devices (browser and apps)