Forum Discussion
Microsoft App Access Panel requires MFA but we didn't enable it
Hi. Recently we've received a report from a user that he was asked to perform MFA when he was signing in. After checking the sign-in logs, we've found that it was an application called "Microsoft App Access Panel" and the status of that sign-in attempt was "interrupted". The detail of the log tells us that the authentication policies applied was "App requires MFA", but we couldn't find that policy anywhere in Conditional Access. The only MFA-related policy in Conditional Access was a policy that will requires user to perform MFA only including "Office 365 Exchange Online" but since the policy is not related to "Microsoft App Access Panel"(?) and the said user was excluded from that policy, I don't think that's the issue. We have already set the "Enable Security defaults" to "No" and we've checked that the "Multi-factor Auth Status" for the user was "Disabled". Does anyone knows where in Azure could be possibly causing MFA? Thanks.
- I still have this occurring in the year of our lord 2023. We exempted groups, yet once it's flagged on for everyone, we receive several people randomly that experience it.
I ended up redoing our CIDR entries for both the per user mfa exemptions and our location exemptions. It appears to be working now, but I'm still waiting to see if it resolved for everyone. In some cases, it's still trying to tell people they registered, but does this repeatedly and without rhyme or reason. In those cases, I've removed and readded the authenticator and it worked in some situations.
Please fix it Microsoft I beg of you.CHeck to see if you any kind of access rule. In my origination we have the by security rule to be on HOWEVER, in our early days of adoptions when we first turned on MFA we manually enabled it for everyone. If you have a setup like this with an access rule to turn on MFA for ALL your accounts, make sure the access rules are correctly configured and if on, tune off the manual enablement of MFA, (Even if its manually off, the access rule will be enabled or, just create an exception group to exclude those users. Just be aware you only want that off if you are INSIDE a trusted location.
- MichiA1804 ArjanSchepers koenlenaerts It appears, in our case, to be tied to users who are enabled for SSPR, but have not completed registration. That seems to be the one thing we would in common among the users getting prompted. Microsoft's response was basically, "sometimes it does that."
jstreeter That would make sense, everyone in our tenant is enabled for SSPR but students don't have the MFA requirement (yet). It is completely random when it happens, I see people accessing the "App Access Panel" without MFA prompt all the time and then it just randomly asks for MFA. Mind boggling and very annoying for our help desk (and myself as administrator as the only way to fix it is to go to the per user MFA page, search for the user, and reset all their MFA stuff. And hey, only Global Admins can do that, yay!).
- I can't believe this was a thing in 2021, and is still present.
- Same here, any solution yet ?
- Any news here? We discovered the same problem
MichiA1804 We have the same problem, did anyone ever find out what is the root cause of this?
- We have a case open with MS. Haven't heard back from them in a while.
- We're seeing this too. Has anyone made any progress on discovering the cause?
- Encountered the same situation today
Ankit0809Microsoft
This behavior is by design as the MFA requirement is enforced by the Microsoft App Access Panel application itself regardless of any CA policy applying or not:
- The "Microsoft App Access Panel" application is part of the suite of apps that represent the Security Info section of Azure AD where users can manage their Azure MFA and SSPR verification methods.
- During a sign-in attempt to the Security Info section the user is prompted for Azure MFA by the "Microsoft App Access Panel" application itself via the request parameters sent by the application.
- The above behavior is entirely by design and expected for users who already have an Azure MFA method registered when accessing the Security info section. This is due to security concerns as we want to make sure that the legitimate user is the one attempting to connect to the Security Info section and for this reason, we ask the user to first perform Azure MFA based on the existing MFA method before allowing them access to manage the security info (like Azure MFA methods or SSPR methods).
- Imagine allowing a bad actor who has compromised the user's first-factor credentials (username and password) to access the Security Info section and register their own MFA methods instead of the user.
- This is a nice explanation, but unfortunately Microsoft App Access Panel is showing up in the workflow to register MFA for the first time.
