Conditional Access not working as expected

Hi guys i'm trying to configure Conditional Access for our users. We have Windows 10 managed Notebooks, which are AAD Joined and have Windows Hello for Business configured, which everything is ju...

Conditional Access

ChristianJBergstrom
Dec 04, 2021
Yes, all users should be forced to use MFA. Here's an article I found just now which explains it all as you're on WHFB, much better than if I would give it a go! https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032

Going forward, try out the What if tool and the Report-only option when you experience odd stuff. Perhaps you'd benefit using the new CA templates in preview too. Have a look https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common (the article was updated recently but you'll see those that are common to use if you scroll down)

As sign-in frequency also includes MFA nowadays you should be able to get this working.

Good luck!

marckuhn

Brass Contributor

Dec 08, 2021

ChristianJBergstrom

Thanks for that and your help on this. The only thing which is a little special that it shows that the Windows Sign In with Hello for Business is Single Factor and not Multi Factor, but has the MFA accepted. Would be better for the understanding, or what do you think?

ChristianJBergstrom

MVP

Dec 08, 2021

Hello again, no worries. I think it's fun. I understand it's confusing but from my understanding it's simply because Windows Hello for Business sign-in is a form of MFA, which utilizes the PRT, gets the claim, satisfies the strong authentication and Azure AD honors that claim. It's detailed in the above link under the "subtle points".

Forum Discussion

Conditional Access not working as expected

Resources