Forum Discussion
Solved
All users receive "Your organization needs more information to keep your account secure" when logon
All users receive "Your organization needs more information to keep your account secure" when logon o365 web portal. Users can select "skip for now (XX days until is required)" but it will finally ...
Thank you for the hint.
Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No
That is some good information! Considering this question was all about Security Defaults i.e. NOT have Entra P1 or 2 licensing, with Security Defaults you are essentially forced to require MFA for all users without exception. This includes Guest users. Your suggestion is great as it will work with Security Defaults in place, by disconnecting SharePoint from the equation. For those with P1 or P2, you would not do this as you can control who is or is not prompted using CA policies.
There are two things I find people miss when it comes to MFA / SSPR:
1. As in the screenshot, the number of methods required to reset a password is important because the registration for MFA is tied to this (combined registration is a forced setting). If this is set to '2', your users in scope for SSPR will be prompted continually for a second method, because it is required for password reset. This is where you can register an Email, which is not supported for MFA, but is supported as a method for password reset - again slightly confusing, easily misunderstood until you read the docs. Generally you want SSPR set to all in which case I recommend keeping the number of methods set to '1', otherwise it gets confusing for users.
2. It's okay to have SSPR enabled for all with security defaults, as long as you disable 'Registration' which is two down on the menu from where you enable it. Set it to 'No'. Users will not be prompted for SSPR, but will be prompted for MFA registration.
NOTE: This has all changed recently for Entra Premium, with the move to the Security => Authentication Methods blade. You need to migrate from the current configurations to the new methods, then you benefit from some new methods like 'Temporary Access Pass'. The new methods include a 'Registration Campaign' where you can control the prompts that occur during login, and the number of days it can be skipped.
Here's a step by step walk-though for the migration:
How to migrate to the Authentication methods policy | Microsoft Learn
Good luck!
We have this same issue. We use CA, no defaults are configurable. Out of nowhere users are getting hit with
Your organization requires you to set up the following methods of proving who you are.
Additional authentication is required to complete this sign-in.
Then you go to a redirect/Azure and around in circles it goes and finally back to this message, just a loop over and over and you can't do anything.
MFA is supposed to be the first line of things Azure checked if enabled. We do have CAs for hybrid joined/intune compliant devices...but how do you setup MFA if you can't even get the page to show to download the MS App or enter a phone number. Which this is another issue I have a support ticket open on. We can't modify the default Authentication methods or disabled MS Auth app it just gives an error and 3 days later no support response, just send us info...dead in water. Cluster and mess as usual with MS and this entire CAs, Auth apps, Intune dumpster fire....Rant over. Any ideas, let us know. Only way to get a user in is turn off MFA, they sign in, then setup MFA methods, then put them in the groups to enforce CAs Intune policies. Giant mess. And let's not get into the 18hrs it takes for a CA rule change to go into effect. Literally spending weeks on end making single changes to troubleshoot issues and getting nowhere fast. MS is useless their support.
I had same issue, using Intune to sign up a new user on a new PC. Got the AADSTS50192 message.
Then tried to login on an existing windows laptop via a browser, same issue.After scratching my head for a while I figured it must be to do with the user needing to log in with MFA but no security info setup for the user, so they cannot log in with MFA.
1) Logged in as an Administrator to "Microsoft 365 Admin Center"
2) Selected *"Identity" under "Admin Centers" to Access "Microsoft Entra Admin Center"
3) "Microsoft Entra Admin Center" select "Users" > "All Users"
4) Select the relevant user
5) Under the user screen select "Authentiction Methods", enter an authentication method,
6) When complete press save icon.User should now be prompted for additional data when logging in as there will be an authentication method available when logging in.
Suggestions to Microsoft
1) * Rename "Identity" to "Microsoft Entra Admin Center" in "Microsoft 365 Admin Center"
2) ** In "Microsoft 365 Admin Center", add method to enter user authentication method when setting up a user, setting up a user without it is pretty useless.
