I have two enterprise apps (well I have hundreds but for this we will say two). Both leverage Windows Auth via Kerberos/SPN.
IF I am already logged onto portal.office.com and go to app [A] then I see the redirection to login.microsoftonline.com and then back to app [A] logged in without the need for MFA (presumably because I did it when logging into portal.office.com).
However, again already logged into portal.office.com and goto app [B] then I get redirected to login.microsoftonline.com, it knows who I am, but it forces MFA prompting.
The account in question is MFA Disabled on the MFA User screen, and both apps are covered by a single conditional access policy that says "all apps, all users, require MFA".
Looking in the Azure AD Sign-On logs for App A, the seamless logon shows this:
MFA Result: MFA requirement satisfied by claim in the token
Where App B doesn't seem to respect the token and or is not being presented by it.
Does anyone know why two roughly identical enterprise apps would have this different behavior? Any troubleshooting steps I might be able to take?
I have opened three cases so far, never get past level 1 before I give up. Fiddler traces haven't really shown me anything.
Any advice would be greatly welcomed.
