Forum Discussion
Solved
MFA says enabled but user is using MFA
My understanding was that if O365 said that MFA was enabled for a user then that user would be required to register for MFA and, once they completed that process, their status would change from enabl...
- That's likely because the user is on a Azure AD joined device and leveraging the PRT to login - this method always counts as second-factor.
Enabled/enforced only applies to the old per-user MFA controls. If MFA is being enforced via CA policy (or anything else), the user will have to complete MFA challenge regardless of what the per-user status is. Checking the details within the Azure AD sign-in logs entry will give you a clue as to why MFA was required.
There are no Conditional Access policies for MFA so, if the requirement isn't coming from the "old per-user" controls, which is where I thought it was always coming from, then where else could it come from?
I don't see much difference between this user's sign-in logs and others. However, it does say that he uses Windows Hello for Business and others don't.
I don't see much difference between this user's sign-in logs and others. However, it does say that he uses Windows Hello for Business and others don't.
- That's likely because the user is on a Azure AD joined device and leveraging the PRT to login - this method always counts as second-factor.
Yes. He is one of the few users we have whose laptop is managed by Intune and Azure AD joined.
Thanks