Forum Discussion
Creating MFA conditional Policy, not triggering to enroll when signing in.
We're looking to rollout MFA for all our users, specifically just for any access to their Exchange Online and Microsoft Teams. I've followed the the instructions from Microsoft's Knowledge article: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa
What I have setup:
New Conditional Access Policy (MFA Pilot):
Users > At the moment just including a specific group that i have my test users part of.
Target Resources > Cloud Apps > Office 365 Exchange Online & Microsoft Teams
Conditions > Client Apps > Enabled and checked all "Modern authentication clients" options (Browser/Mobile app and desktop clients/Legacy authentication clients/Exchange ActiveSync clients/Other clients)
Grant > Grant Access > Require multifactor authentication (Enabled)
Under Protection > Authentication Methods
Microsoft Authenticator (Enabled) > Authentication Mode: Any
Only Targeting the group my test users are in.
From my understanding with all of that enabled and set, when an account that is currently not setup for MFA yet, once they log into anything Exchange Online (or just signing into office.com for the first time) should trigger to get enrolled and register for the first time.
I've set these and its been about 2 hours and when i use one of my test accounts and log into office.com with it on a different machine, it still just normally logs in and doesn't trigger to enroll into MFA.
Help!
- The Office.com is a separate "app" and doesn't fall within the scope of your policy. Get the user to login to OWA instead. Or better yet, remove those conditions, you should protect all cloud apps and client types with MFA.
- tlakshmananCopper ContributorHello,
Even if end users are not registered for MFA, the Conditional Access Policy (CAP) should prompt them to register for MFA to access the resource.
In your scenario, have you checked the sign-in logs to confirm if the CAP is being applied? Additionally, have you tested the "What if" functionality under Conditional Access Policy to evaluate your newly created policy?
Reference: https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool