Forum Discussion
Microsoft App Access Panel requires MFA but we didn't enable it
Hi. Recently we've received a report from a user that he was asked to perform MFA when he was signing in. After checking the sign-in logs, we've found that it was an application called "Microsoft App...
Encountered the same situation today
This behavior is by design as the MFA requirement is enforced by the Microsoft App Access Panel application itself regardless of any CA policy applying or not:
- The "Microsoft App Access Panel" application is part of the suite of apps that represent the Security Info section of Azure AD where users can manage their Azure MFA and SSPR verification methods.
- During a sign-in attempt to the Security Info section the user is prompted for Azure MFA by the "Microsoft App Access Panel" application itself via the request parameters sent by the application.
- The above behavior is entirely by design and expected for users who already have an Azure MFA method registered when accessing the Security info section. This is due to security concerns as we want to make sure that the legitimate user is the one attempting to connect to the Security Info section and for this reason, we ask the user to first perform Azure MFA based on the existing MFA method before allowing them access to manage the security info (like Azure MFA methods or SSPR methods).
- Imagine allowing a bad actor who has compromised the user's first-factor credentials (username and password) to access the Security Info section and register their own MFA methods instead of the user.
- This is a nice explanation, but unfortunately Microsoft App Access Panel is showing up in the workflow to register MFA for the first time.
Ankit0809 Thank you for the detailed information about the Microsoft App Access Panel. I'm currently experiencing an issue where users are being blocked from the application by our CAP that requires "
Require domain-joined device".How would one create an exception for the "Require domain-joined device" requirement for this application? We are unable to exclude it from the CAP that requires domain joined devices because the "Microsoft App Access Panel" cannot be selected in the Application section of the CAP.we have this exact issue and it is a real pain when users are on a BYOD mobile and get prompted to check their MFA contact information
