Forum Discussion
Conditional Access enforces MFA but Service Account still ask to secure account
Hi,
I've setup Conditional Access policies to enforce MFA. But it excludes a group for service accounts.
Whenever we login to a Service Account, they all ask to secure your account. Hit next > It says no MFA options are available > Skip.
Both our own MFA conditional access policy and MS per-user conditional access policy excludes this group. The Legacy per-user authentication policy has all accounts disabled there in favour of the conditional access policy.
We must be missing something here. Some of these are shared inboxes, others regular user accounts.
Many of these services requires login through the typical Microsoft sign in screen to authorize access. Some does not support OpenID.
So how do I 100% exclude service accounts from MFA? And how do I get rid of this popup to secure these accounts when it says no MFA options are available?
TIA
1 Reply
What’s happening here is that even though your Conditional Access policies exclude service accounts from MFA, another policy is likely prompting them to register security information. This “secure your account” message doesn’t come from the MFA enforcement itself but from the security info registration requirement that’s part of Identity Protection or SSPR (Self-Service Password Reset). To fix it, check in Entra ID under Security → Identity Protection → MFA registration policy and make sure your service account group is excluded there as well. Also review your SSPR settings and confirm that these accounts aren’t required to register password recovery methods. Finally, double-check that per-user MFA is completely disabled and use the Conditional Access “What If” tool to see which policy is causing the prompt. If possible, consider converting those service accounts to app registrations or managed identities, since those don’t require MFA or interactive sign-ins at all.
------------------------------------
Don't forget to mark as solution if my answer suits you
