Forum Discussion

kkempf's avatar
kkempf
Copper Contributor
Jul 10, 2024

MFA Enabled> conditional MFA policy setup > not prompting users to authenticate

I pulled a report in Entra that shows users with no MFA authentication methods setup, but we have a conditional mfa policy setup that should enforce MFA. I have worked with a user showing on the report. Their PC is joined in entra and managed Intune. I have revoked the user session reset his MFA still the user is able to sign in to his pc with his windows hello pin or his 0365 credentials without being prompted for MFA registration authentication setup...any help

  • mr_aryalcode444's avatar
    mr_aryalcode444
    Copper Contributor

    kkempf Hi, I will assist you  

    It sounds like you’re dealing with a situation where MFA (Multi-Factor Authentication) isn’t being enforced as expected despite having a conditional MFA policy in place. Let’s troubleshoot this issue step by step:

    1. Verify the Conditional Access Policy:

      • Confirm that the conditional MFA policy is correctly configured. You can do this by checking the policy settings in the Microsoft Entra admin center.
      • Ensure that the policy is targeting the correct users, devices, and applications.
    2. User Exclusions:

      • Conditional Access policies are powerful but can sometimes exclude certain accounts unintentionally. Make sure the following accounts are excluded from your policies:
        • Emergency access or break-glass accounts: These accounts prevent tenant-wide account lockout. If all administrators are locked out, an emergency-access administrative account can be used to recover access.
        • Service accounts and service principals: These non-interactive accounts (like Microsoft Entra Connect Sync Account) should be excluded since MFA can’t be completed programmatically. Calls made by service principals won’t be blocked by Conditional Access policies scoped to users.
        • Consider replacing service accounts with managed identities if possible.
    3. Application Exclusions:

      • Some applications might not require equal security. You can exclude specific applications from your policy.
      • If you’re using Subscription Activation to enable users to “step-up” from one version of Windows to another, exclude the Universal Store Service APIs and Web Application (AppID: 45a330b1-b1ec-4cc1-9161-9f03992aa49f) and Windows Store for Business (AppID: 45a330b1-b1ec-4cc1-9161-9f03992aa49f) from your Conditional Access policies.
    4. MFA Registration Policy:

      • Configure the MFA registration policy to ensure that users register authentication methods (like the Microsoft Authenticator app) before they can respond to MFA prompts.
      • In the Microsoft Entra admin center:
        • Go to Protection > Identity Protection > Multifactor authentication registration policy.
        • Set Policy enforcement to Enabled.
        • Save the changes.
        • Users will be prompted to register the next time they sign in interactively, and they’ll have 14 days to complete registration. 
        • After this period, they must register before completing the sign-in process.
    5. Existing Tokens:

      • Sometimes existing tokens need to be revoked after enabling MFA. This ensures that all users are required to register for multifactor authentication.
      • As part of enabling security defaults, administrators should revoke all existing tokens.
    6. User Experience:

      • Keep in mind that during the 14-day registration period, users can bypass registration if MFA isn’t required as a condition. However, at the end of the period, they’ll be required to register before completing sign-in.

Resources