Forum Discussion
MFA Shows Disabled, But Being Used
I'm really sorry to flog a dead thread about this but I haven't seen anyone mentioning the MFA Registration Policy settings sitting under ID Protection
I'm unable to edit this, probably because I haven't subscribed to their Premium AD license and therefore am not permitted to make the necessary changes here.
I believe this is the root of the notifications but as I said, I'm not able to make changes here.
I've gone through all the comments here, security defaults are set to no, no CA policy created and this MFA Reg Pol is the only place I can see the policy being enabled.
So after a few hours on the phone with Microsoft it was discovered that Self Service is the culprit. It is enabled for all users once you switch it to "None" it will not trigger MFA and allow users to logon without MFA challenge when MFA itself is disabled.
- ricebuqitDec 14, 2022Copper ContributorI'll haveaa look into that next time I get a chance!
Thanks for your update! - George_FApr 21, 2023Copper Contributor
LibraryITGuy I found the Password Reset was "selected" to all users in our company, maybe it causes the MFA prompts even if it shows Disabled in the M365 admin portal. The security default is disabled.
Another issue is, if the user lost his mobile phone and need to reset MFA, where should I reset it ? Usually, I set it in the M365 MFA portal ->Manage user settings-> ticked all the three selections, and then save.
" Require selected users to provide contact methods again
Delete all existing app passwords generated by the selected users
Restore multi-factor authentication on all remembered devices "
But now I got the error:
"MFA methods can’t be removed for the currently signed-in user account. Please visit https://aka.ms/mysecurityinfo for self operations." The url redirects to my account profile->security info. I know that I can delete the MFAed device, while if I already lost my mobile phone, how can I login to my account to do that by myself?
- dazemoonMar 09, 2024Copper Contributor
LibraryITGuy- this was a great help, I was going crazy with this login loop issue, I'm an admin as well as a user so I think since I was set for MFA automatically (?) this started acting up as soon as I migrated to Win 11 for some reason. Removing MFA on my login made no difference until I tried your solution.
Anyone trying this solution be aware it can take quite a few minutes to take effect.