ZPA reauthenticate when user network connection changes

We are busy implementing ZPA for our internal network to replace our existing VPN connection technology.

We are using AzureAD for SAML SSO and also have a conditional access policy to require MFA when a user is not accessing from a trusted location.

What we’ve found is if a user is in the office, opens the client connector and signs in, when they then switch to a hot spot and disconnect from the internal network their existing token is retained and they are automatically granted access in ZPA.

What we are hoping to implement is that when the user transitions from the trusted network to an un-trusted network that the application re-authenticates the user. Then it should hit the conditional access policy and the user should get an MFA prompt.

We are trying to not have users get prompted by MFA multiple times a day as users do have the flexibility to work from home (I imagine a user getting an MFA prompt every 2 hours when working from home would get very frustrating).

Is it possible to configure this on the Zscaler side? Or am I missing something in the AzureAD SAML configuration?

The situation at home should be OK, as the i itial MFA auth will last until the reauth timeout which is 7 days so you wont get MFA prompts every twonhours unless you lower the reauth timeout to 2hrs.

Now the other ask is a bit more complicated. The token from the original auth & MFA will indeed allow access on switching network adapters which is a feature designed to provide seamless failover to a new network adapter (e.g. moving from your desk to a conference room or guest wireless). I’d look for a mobile portal switch to force a service restart on network adapter change, but AFAIK, there is only a setting to send network log on that type of change for troubleshooting, but not one for a service restart, again, to make the failover seamless for better user experience. Perhaps someone on the community knows of such a setting and if not, you can submit a ticket with support to have an ER (enhancement request) created.

@Wallace44 : seamless failover is a Client connector product differentiator and customers who are used to traditional anyconnect or other VPN solutions also dont require with auth from Trusted to non trusted network. They have a auth timer that requires them to reconnect often.

Vaishnavi | PM | Client Connector