Specify multi-factor authentication grace period

Use the group policies under Windows Settings > MFA Settings to control the multi-factor authentication grace period.

There are two group policies that affect the multi-factor authentication grace period.

  • Configure multi-factor authentication lock screen grace period
  • Configure multi-factor authentication user privilege elevation grace period

The Configure multi-factor authentication lock screen grace period group policy allows the administrator to configure the multi-factor authentication grace period (in minutes) for the lock screen. If the group policy is set to:

  • Enabled: the grace period for lock screen is enabled and it is configured in the group policy. If this value is configured to 0, it means no grace period for MFA in the lock screen.
  • Disabled: the grace period for lock screen is disabled.
  • Not Configured: the grace period for lock screen is not enabled and a local policy can override the setting.

The Configure multi-factor authentication user privilege elevation grace period group policy allows the administrator to configure the multi-factor authentication grace period for user privilege elevation, such as run with privilege and add new desktop. This per-session grace period starts when the user performs a successful MFA challenge in the session and the grace period is restarted. If the group policy is set to:

  • Enabled: the grace period for privilege elevation is configured in the group policy.
  • Disabled: the grace period for privilege elevation is disabled.
  • Not Configured: the grace period for privilege elevation is not enabled and a local policy can override the setting.