0

We want to have some users required to use MFA and some users that can log without. For this we have two groups "MFA Required" and "MFA Not Required". When we want to active MFA for a user, we simply move them from one group to the other. We have a conditional access that enforces the MFA.

The includes/excludes:

enter image description here

The grant:

enter image description here

The User flow:

enter image description here

The issue is that now I get the MFA screen for all users. The "MFA Enforcement" even says "Conditional delegates the MFA decision to conditional access policies." when hovering above the "i". When I check the option "Enforce conditional access policies" in the User Flow nothing changes.

What is going on here? I feel I'm missing something, but I can't find anything online.

EDIT: I checked the audit logs in azure and when I log in with the user from "MFA Required" I see this:

enter image description here

And for the user from "MFA Not Required" I see this:

enter image description here

I still get the MFA screen for both though.

J Flex
  • 312
  • 1
  • 3
  • 11

2 Answers2

1

The reason behind getting MFA screen for all users may be due to below:

  • Check whether you have enabled per-user MFA to the users.

image

  • Please note that, if you are conditional access policies you should not enable/enforce per-user Azure Ad MFA.
  • If you have enabled that option, the user might get MFA screen even they are excluded via conditional access policies.
  • Check whether you have enabled security defaults option. If enabled, make sure to disable it.

enter image description here

Please check whether Self-Service Password Reset is enabled. Make sure to disable it.

For more in detail, please refer below links:

Enable per-user Multi-Factor Authentication - Azure Active Directory | Microsoft Docs

Disable Azure AD MFA Interrupt Mode for a group of users - Stack Overflow

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • Thanks for your answer! Per-user MFA is disabled for all users, the security defaults are also disabled and the Self-Service Password reset was also turned off. – J Flex Jun 01 '22 at 12:43
  • I just tested it all again but with "email" selected as the MFA method and it all seems to work. Maybe this was all because the Authenticator app method is in preview? – J Flex Jun 01 '22 at 12:51
0

RukminiMr-MT answer helped me gather a lot of information.

I had contacts with people from Microsoft and the thing is that when you use the Authenticator app as MFA option every user will have to register their authenticator app as MFA solution the next/first time they log in (after the change).

After they registered it for the first time they'll never get the MFA screen again. It's just a one time thing. The second time they log in, only the users from my MFA list get the MFA screen.

Check the date of this answer, since there are items in preview everything I just said might already have changed.

J Flex
  • 312
  • 1
  • 3
  • 11