MFA Enabled> conditional MFA policy setup > not prompting users to authenticate

Hi! This is a common scenario, and it usually comes down to two things:

Windows Hello for Business is NOT counted as an MFA method in Entra

Your Conditional Access policy may be enforcing MFA for cloud apps, but not enforcing MFA registration

Why the user can sign in without MFA

1) PC sign-in will not force MFA prompt to the user

When the user signs into a Windows device using:

Windows Hello PIN

Windows Hello biometric

Cached credential

That is a device sign-in, not a cloud authentication flow where Conditional Access always triggers MFA.

It’s normal for the user to unlock/sign in to the PC without being forced to register for

MFA.

Why Conditional Access isn’t forcing MFA registration

A Conditional Access policy that says “Require MFA” will only challenge MFA if the user already has an MFA method available.

If the user has no methods registered, CA cannot magically prompt them to register unless you also enforce:

How to enforce MFA

Microsoft Entra ID → Protection → Authentication methods → Registration policy

Enable:

Require users to register when signing in

This is the proper control for forcing MFA setup.

What to check next (quick checklist)

1) Confirm the user is in scope

Is the user excluded from the CA policy (directly or via group)?

Is the CA policy applied to All cloud apps or only some?

2) Check if the user is satisfying CA using “Device compliance”

If your CA policy allows access using:

“Require compliant device”

or “Require hybrid joined device”

Then the user may be authenticating without MFA because the compliant device is fulfilling the requirement.

Check the sign-in logs:

Entra Admin Center → Sign-in logs → Conditional Access tab

Look for:

“MFA: Not required”

“Grant controls satisfied by: Compliant device”

3) Confirm Security Defaults is OFF

If you’re using Conditional Access, Security Defaults should typically be disabled.

Recommended fix

To force users to actually register MFA methods:

Go to:

Entra Admin Center → Protection → Authentication methods → Registration policy

Enable:

 “Require users to register when signing in”

Ensure your MFA CA policy is scoped correctly for cloud apps (M365, Azure, etc.

kkempf 

Please make sure Policy enforcement to Enable

kkempf Hi, I will assist you  

It sounds like you’re dealing with a situation where MFA (Multi-Factor Authentication) isn’t being enforced as expected despite having a conditional MFA policy in place. Let’s troubleshoot this issue step by step:

1. Verify the Conditional Access Policy:

   • Confirm that the conditional MFA policy is correctly configured. You can do this by checking the policy settings in the Microsoft Entra admin center.
   • Ensure that the policy is targeting the correct users, devices, and applications.

2. User Exclusions:

   • Conditional Access policies are powerful but can sometimes exclude certain accounts unintentionally. Make sure the following accounts are excluded from your policies:
     • Emergency access or break-glass accounts: These accounts prevent tenant-wide account lockout. If all administrators are locked out, an emergency-access administrative account can be used to recover access.
     • Service accounts and service principals: These non-interactive accounts (like Microsoft Entra Connect Sync Account) should be excluded since MFA can’t be completed programmatically. Calls made by service principals won’t be blocked by Conditional Access policies scoped to users.
     • Consider replacing service accounts with managed identities if possible.

3. Application Exclusions:

   • Some applications might not require equal security. You can exclude specific applications from your policy.
   • If you’re using Subscription Activation to enable users to “step-up” from one version of Windows to another, exclude the Universal Store Service APIs and Web Application (AppID: 45a330b1-b1ec-4cc1-9161-9f03992aa49f) and Windows Store for Business (AppID: 45a330b1-b1ec-4cc1-9161-9f03992aa49f) from your Conditional Access policies.

4. MFA Registration Policy:

   • Configure the MFA registration policy to ensure that users register authentication methods (like the Microsoft Authenticator app) before they can respond to MFA prompts.
   • In the Microsoft Entra admin center:
     • Go to Protection > Identity Protection > Multifactor authentication registration policy.
     • Set Policy enforcement to Enabled.
     • Save the changes.
     • Users will be prompted to register the next time they sign in interactively, and they’ll have 14 days to complete registration. 
     • After this period, they must register before completing the sign-in process.
       

5. Existing Tokens:

   • Sometimes existing tokens need to be revoked after enabling MFA. This ensures that all users are required to register for multifactor authentication.
   • As part of enabling security defaults, administrators should revoke all existing tokens.

6. User Experience:

   • Keep in mind that during the 14-day registration period, users can bypass registration if MFA isn’t required as a condition. However, at the end of the period, they’ll be required to register before completing sign-in.