Enforce MFA every time when client connect/disconnect fortinet VPN from his laptop

To enforce Multi-Factor Authentication (MFA) every time a user connects or disconnects from a Fortinet VPN, you can utilize the Conditional Access policies in Microsoft Entra. However, it is important to note that the configuration of sign-in frequency to require reauthentication every time may not work as expected in all scenarios, especially with certain applications or network conditions.

Here are some considerations:

1. Session Frequency: Setting the sign-in frequency to "Every time" should prompt users for reauthentication each time they connect after a disconnection. However, this may not function correctly if there are specific configurations or limitations with the Fortinet VPN integration.
2. Network Stability: Frequent disconnections and reconnections can lead to issues with reauthentication, especially on unstable networks. Ensure that the network conditions are stable to avoid unnecessary complications.
3. Testing and Validation: Use the "What If" tool in Microsoft Entra to simulate the sign-in process and verify that your Conditional Access policies are configured correctly. This tool can help identify any potential issues with your setup.
4. Known Issues: Be aware that there are known issues with mobile devices and certain configurations that might affect the reauthentication process. Make sure to review these to ensure they are not impacting your users.

If the current configuration is not working as intended, you may need to review the specific settings in your Conditional Access policy or consult Fortinet documentation for any additional requirements or configurations needed for proper integration with Microsoft Entra.

References:

• Configure sign-in frequency
• Conditional Access adaptive session lifetime policies