Forum Discussion
MFA Shows Disabled, But Being Used
Germaum Sorry to bring a dead thread back but we're having a similar issue with Security Defaults disabled. Though it's not every user. We're currently tracking one high profile user. Our tenant responds that MFA is disabled when checked via powershell. (The script works properly for other users so we know the script is good). The users still gets MFA prompts and his account allows for additional security settings even though the MFA is "Disabled".
Any clues as to why this might happen to a small number of users and why it may happen even though default security settings are/have been off?
Office 365
If your tenant was created on or after October 22, 2019, it is possible security defaults are already enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created. (referenced from https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)
Try this:
1. Go to https://portal.azure.com
2. Use the search bar on the upper middle part of the page and search of "Azure Active Directory".
3. Under Azure Active Directory, search for Properties on the left-hand panel. It is in-between of User Settings and Security.
4. Under the Properties, click on Manage Security defaults.
5. Under the Enable Security defaults, toggle it to NO.
6. Wait for few minutes for propagation then try to sign-in using InPrivate or Incognito.
(referenced from https://techcommunity.microsoft.com/t5/identity-authentication/mfa-shows-disabled-but-being-used/m-p/1317212)
- scumdogSep 10, 2020Copper ContributorThat's what worked for me.
- wannapolkallamaSep 10, 2020Copper ContributorOur tenant was created well before Oct 2019, but I did check that anyway. Those are the steps that I followed to verify that we currently have the managed security defaults set to off when I sent the first message. 🙂 Thanks for verifying that I took the steps though. I should have notated that in my first message.
- CarboneroDec 22, 2020Copper Contributor
wannapolkallama Any luck with this. I have a similar situation. Everything is turned off, yet still getting the MFA prompt
- MichaelMittermairJan 10, 2021Copper Contributor
Hi,
I had the same problem. I already had disabled the security default settings.
I solved the problem with deleting the saved information.
This means:
- Go to the "Multi-Factor authentication"-Page (https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365)
- Select the user and click "Manage user settings" on the link on the right side
- In the new popup, select "Require selected users to provide contact methods again". This will remove the saved settings, also the MFA-Settings of the user.
- After this, the user can login, but has to provide the security info (phone and alternative mail address) again.
Afterwards, the login in a incognito window was possible without asking for MFA.