Forum Discussion

Eddie78723's avatar
Eddie78723
Copper Contributor
Apr 17, 2020

MFA Shows Disabled, But Being Used

When I visit Azure Active Directory -> Users -> Multi-Factor Authentication, our initial accounts show "Multi-Factor Auth Status" as "Disabled", but we are seeing MFA prompts.  I find it confusing th...
Authentication
Germaum's avatar
Germaum
Brass Contributor
Apr 18, 2020
Try this:
1. Go to https://portal.azure.com
2. Use the search bar on the upper middle part of the page and search of "Azure Active Directory".
3. Under Azure Active Directory, search for Properties on the left-hand panel. It is in-between of User Settings and Security.
4. Under the Properties, click on Manage Security defaults.
5. Under the Enable Security defaults, toggle it to NO.
6. Wait for few minutes for propagation then try to sign-in using InPrivate or Incognito.

Let me know what will happen.
wannapolkallama's avatar
wannapolkallama
Copper Contributor
Sep 10, 2020

Germaum Sorry to bring a dead thread back but we're having a similar issue with Security Defaults disabled. Though it's not every user. We're currently tracking one high profile user. Our tenant responds that MFA is disabled when checked via powershell. (The script works properly for other users so we know the script is good). The users still gets MFA prompts and his account allows for additional security settings even though the MFA is "Disabled".

Any clues as to why this might happen to a small number of users and why it may happen even though default security settings are/have been off?

  • scumdog's avatar
    scumdog
    Copper Contributor
    Sep 10, 2020

    wannapolkallama 

     

    Office 365
    If your tenant was created on or after October 22, 2019, it is possible security defaults are already enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created. (referenced from https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)

     

     

    Try this:
    1. Go to https://portal.azure.com
    2. Use the search bar on the upper middle part of the page and search of "Azure Active Directory".
    3. Under Azure Active Directory, search for Properties on the left-hand panel. It is in-between of User Settings and Security.
    4. Under the Properties, click on Manage Security defaults.
    5. Under the Enable Security defaults, toggle it to NO.
    6. Wait for few minutes for propagation then try to sign-in using InPrivate or Incognito.

     

    (referenced from https://techcommunity.microsoft.com/t5/identity-authentication/mfa-shows-disabled-but-being-used/m-p/1317212)

     

    • wannapolkallama's avatar
      wannapolkallama
      Copper Contributor
      Sep 10, 2020
      Our tenant was created well before Oct 2019, but I did check that anyway. Those are the steps that I followed to verify that we currently have the managed security defaults set to off when I sent the first message. 🙂 Thanks for verifying that I took the steps though. I should have notated that in my first message.
      • Carbonero's avatar
        Carbonero
        Copper Contributor
        Dec 22, 2020

        wannapolkallama Any luck with this. I have a similar situation. Everything is turned off, yet still getting the MFA prompt

    • scumdog's avatar
      scumdog
      Copper Contributor
      Sep 10, 2020
      That's what worked for me.

Resources