Forum Discussion

Eddie78723's avatar
Eddie78723
Copper Contributor
Apr 17, 2020

MFA Shows Disabled, But Being Used

When I visit Azure Active Directory -> Users -> Multi-Factor Authentication, our initial accounts show "Multi-Factor Auth Status" as "Disabled", but we are seeing MFA prompts.  I find it confusing that something shows "disabled" that is really turned on somehow???  Is there more than one type of MFA?

 

We just received a trial for G1 as part of building a use case for moving to Office 365.  I setup the tenant space by confirming our identity and I am a Global Administrator.  I was prompted to setup MFA on my second logon, but I don't recall being offered any option other than text message.  My understanding is that I had to turn on MFA for our accounts so I just setup SMS to get logged on the second time.

  • tourchain's avatar
    tourchain
    Copper Contributor

    Eddie78723 it is sorry to hit this point again. Even the users were set Disable in MFA set up but when user login, it still requires to MFA. Some users require to login without the MFA. How can we set it? I did both in Properties and Condition Access but it seemed not work. Thank you

     

    • ricebuqit's avatar
      ricebuqit
      Copper Contributor

      tourchain

       

      I'm really sorry to flog a dead thread about this but I haven't seen anyone mentioning the MFA Registration Policy settings sitting under ID Protection

       

       

      I'm unable to edit this, probably because I haven't subscribed to their Premium AD license and therefore am not permitted to make the necessary changes here.

       

      I believe this is the root of the notifications but as I said, I'm not able to make changes here.

       

      I've gone through all the comments here, security defaults are set to no, no CA policy created and this MFA Reg Pol is the only place I can see the policy being enabled.

      • CarlOlsenRX's avatar
        CarlOlsenRX
        Copper Contributor
        Thanks, this was it for me. It was not the Device MFA settings or the legacy setting or the CA. It was the Identity Protection
  • Michael_Long's avatar
    Michael_Long
    Copper Contributor
    One thing that can cause MFA prompts, even for MFA disabled accounts is Azure Active Directory > Password Reset > Registration: Require users to register when signing in? Yes.
    Doesn't matter what the User's MFA settings say, MFA has to be set up for the user in order to use Self Service Password Reset. Requiring the user to register when signing in will trigger that registration prompt if they don't have MFA set up.
  • bkneece's avatar
    bkneece
    Copper Contributor

    If anyone sees this again, log into Azure, search for conditional access to bring up that conditional access interface, and see if you have a conditional access policy applied. It likely will have one intitled "Require MFA for Everyone." If that policy is in the list of conditional access polices listed, delete it. Problem solved. Or at least in my case. Whether  or not you have MFA enabled at the user level is superseded by this policy, and it won't even show MFA as enabled at the user level even thought this policy is forcing it. Again this was the case for me. Milage may vary.   Eddie78723 

  • Ryan_Tusia's avatar
    Ryan_Tusia
    Copper Contributor

    Eddie78723 

     

    What we found is that you can enable MFA through MyAccount.Microsoft.com > Security Info > Update Info. If it is enable here, the Azure portal continues to show that it is not enabled yet if functions. If set up this way, then changing it in Azure has virtually no effect (except your powershell reporting will be correct again).

    Let me know if I am wrong on any points, but it seems to hold true for us.

  • Adam Lavery's avatar
    Adam Lavery
    Copper Contributor

    This is all down to a new and ill-conceived UI from Microsoft. They've basically combined MFA setup with account recovery setup. Prior to this change, if you had self-service password reset enabled, on first login users would be prompted to setup a recovery phone and email. If MFA was enabled, they'd be prompted to setup MFA.

    The combined approach is highly confusing when not wanting MFA. It still allows a user to setup MFA even when it's disabled on the account in Azure. Indeed it's designed to make you think you have to set it up. Just more nonsense from unskilled product managers and developers with little experience of the real world and zero common sense.

    Same with the Security Defaults. These force use of MFA for all accounts, despite Microsoft's own recommendation to have at least one GA account not using MFA in case of MFA issues. Indeed a non-MFA GA account is needed for hybrid operation as well as for any 3rd party services that need access to the 365 tenant.

    Anyhow, the solution is to ignore the initial presentation of the setup. For option 1, select Phone instead of Authenticator App from the dropdown. Then complete the phone verification as it used to be done. Then select Email for option 2 and complete that. Account is now setup with password reset info needed but without MFA enabled.

    That still leaves the issue that, if the user chose to enable MFA during initial account setup, this won't reflect in AAD. That still shows MFA as disabled!

  • Germaum's avatar
    Germaum
    Brass Contributor
    Try this:
    1. Go to https://portal.azure.com
    2. Use the search bar on the upper middle part of the page and search of "Azure Active Directory".
    3. Under Azure Active Directory, search for Properties on the left-hand panel. It is in-between of User Settings and Security.
    4. Under the Properties, click on Manage Security defaults.
    5. Under the Enable Security defaults, toggle it to NO.
    6. Wait for few minutes for propagation then try to sign-in using InPrivate or Incognito.

    Let me know what will happen.
    • wannapolkallama's avatar
      wannapolkallama
      Copper Contributor

      Germaum Sorry to bring a dead thread back but we're having a similar issue with Security Defaults disabled. Though it's not every user. We're currently tracking one high profile user. Our tenant responds that MFA is disabled when checked via powershell. (The script works properly for other users so we know the script is good). The users still gets MFA prompts and his account allows for additional security settings even though the MFA is "Disabled".

      Any clues as to why this might happen to a small number of users and why it may happen even though default security settings are/have been off?

    • scumdog's avatar
      scumdog
      Copper Contributor

      Germaum Thankyou this resolved my issue after wasting way too much time trying to find the cause.

       

Resources