Forum Discussion

kkempf's avatar
kkempf
Copper Contributor
Jul 10, 2024

MFA Enabled> conditional MFA policy setup > not prompting users to authenticate

I pulled a report in Entra that shows users with no MFA authentication methods setup, but we have a conditional mfa policy setup that should enforce MFA. I have worked with a user showing on the repo...
Authentication
Jaspreet_Singh17's avatar
Jaspreet_Singh17
Copper Contributor
Feb 05, 2026

Hi! This is a common scenario, and it usually comes down to two things:

 

Windows Hello for Business is NOT counted as an MFA method in Entra

Your Conditional Access policy may be enforcing MFA for cloud apps, but not enforcing MFA registration

Why the user can sign in without MFA

1) PC sign-in will not force MFA prompt to the user

 

When the user signs into a Windows device using:

 

Windows Hello PIN

Windows Hello biometric

Cached credential

 

 

 

That is a device sign-in, not a cloud authentication flow where Conditional Access always triggers MFA.

 

It’s normal for the user to unlock/sign in to the PC without being forced to register for

 

MFA.

 

Why Conditional Access isn’t forcing MFA registration

 

A Conditional Access policy that says “Require MFA” will only challenge MFA if the user already has an MFA method available.

 

If the user has no methods registered, CA cannot magically prompt them to register unless you also enforce:

 

 

 

How to enforce MFA

 

Microsoft Entra ID → Protection → Authentication methods → Registration policy

 

Enable:

 

Require users to register when signing in

 

This is the proper control for forcing MFA setup.

 

What to check next (quick checklist)

1) Confirm the user is in scope

Is the user excluded from the CA policy (directly or via group)?

Is the CA policy applied to All cloud apps or only some?

2) Check if the user is satisfying CA using “Device compliance”

 

If your CA policy allows access using:

 

“Require compliant device”

or “Require hybrid joined device”

 

Then the user may be authenticating without MFA because the compliant device is fulfilling the requirement.

 

Check the sign-in logs:

Entra Admin Center → Sign-in logs → Conditional Access tab

Look for:

 

“MFA: Not required”

“Grant controls satisfied by: Compliant device”

3) Confirm Security Defaults is OFF

 

If you’re using Conditional Access, Security Defaults should typically be disabled.

 

Recommended fix

 

To force users to actually register MFA methods:

 

Go to:

Entra Admin Center → Protection → Authentication methods → Registration policy

Enable:

 “Require users to register when signing in”

Ensure your MFA CA policy is scoped correctly for cloud apps (M365, Azure, etc.

Resources