Forum Discussion
All users receive "Your organization needs more information to keep your account secure" when logon
- Feb 11, 2020
Thank you for the hint.
Finally solved by:
Azure Active Directory > Properties
Manage security defaults
set Enable security defaults to No
That is some good information! Considering this question was all about Security Defaults i.e. NOT have Entra P1 or 2 licensing, with Security Defaults you are essentially forced to require MFA for all users without exception. This includes Guest users. Your suggestion is great as it will work with Security Defaults in place, by disconnecting SharePoint from the equation. For those with P1 or P2, you would not do this as you can control who is or is not prompted using CA policies.
There are two things I find people miss when it comes to MFA / SSPR:
1. As in the screenshot, the number of methods required to reset a password is important because the registration for MFA is tied to this (combined registration is a forced setting). If this is set to '2', your users in scope for SSPR will be prompted continually for a second method, because it is required for password reset. This is where you can register an Email, which is not supported for MFA, but is supported as a method for password reset - again slightly confusing, easily misunderstood until you read the docs. Generally you want SSPR set to all in which case I recommend keeping the number of methods set to '1', otherwise it gets confusing for users.
2. It's okay to have SSPR enabled for all with security defaults, as long as you disable 'Registration' which is two down on the menu from where you enable it. Set it to 'No'. Users will not be prompted for SSPR, but will be prompted for MFA registration.
NOTE: This has all changed recently for Entra Premium, with the move to the Security => Authentication Methods blade. You need to migrate from the current configurations to the new methods, then you benefit from some new methods like 'Temporary Access Pass'. The new methods include a 'Registration Campaign' where you can control the prompts that occur during login, and the number of days it can be skipped.
Here's a step by step walk-though for the migration:
How to migrate to the Authentication methods policy | Microsoft Learn
Good luck!
We have this same issue. We use CA, no defaults are configurable. Out of nowhere users are getting hit with
- Colin123Jan 23, 2024Copper Contributor
I had same issue, using Intune to sign up a new user on a new PC. Got the AADSTS50192 message.
Then tried to login on an existing windows laptop via a browser, same issue.After scratching my head for a while I figured it must be to do with the user needing to log in with MFA but no security info setup for the user, so they cannot log in with MFA.
1) Logged in as an Administrator to "Microsoft 365 Admin Center"
2) Selected *"Identity" under "Admin Centers" to Access "Microsoft Entra Admin Center"
3) "Microsoft Entra Admin Center" select "Users" > "All Users"
4) Select the relevant user
5) Under the user screen select "Authentiction Methods", enter an authentication method,
6) When complete press save icon.User should now be prompted for additional data when logging in as there will be an authentication method available when logging in.
Suggestions to Microsoft
1) * Rename "Identity" to "Microsoft Entra Admin Center" in "Microsoft 365 Admin Center"
2) ** In "Microsoft 365 Admin Center", add method to enter user authentication method when setting up a user, setting up a user without it is pretty useless.