Forum Discussion

james3149's avatar
james3149
Copper Contributor
Sep 05, 2024
Solved

Some users repeatedly prompted for MFA

All our devices are Intune joined. MFA turned on with a conditional access policy: Grant Access to: Require multifactor authentication; Session only configured Sign in frequency: x days. When m...
Azure Active Directory (AAD)
Conditional Access
MFA
Microsoft Authenticator
microsoft intune
  • james3149's avatar
    james3149
    Apr 02, 2025

    I notice user would be required to MFA if their device is not "trusted", such like not meet compliance requirements.  Push through all updates on the problem device helps.

DylanInfosec's avatar
DylanInfosec
Iron Contributor
Jan 19, 2025

Hi james3149 ,

experiencing the same thing, Hwayang ?

Are the working users also using Chrome? Wondering if these users with the broken experience are the only ones using Chrome and/or aren't getting all their configs successfully.

Fairly certain the issue you're experiencing may be related to these endpoints missing the Chrome CloudAPAuthEnabled setting. This setting allows identity objects and device attestation properties to pass through Chrome to be evaluated by your CAPs.

 

You can read more about this setting from Google Chrome, here.

How to enable it locally, here.

Finally, push this setting down to endpoints via Intune, here.

As you can see, you have options. You can push the template and configure the setting, or you can create a Remediation script that checks and sets the RegKey in the "local" instructions. If you need the remediation+detection script let me know, went that route for testing and should have the scripts somewhere.

If you give it a try I'd love to know if this helps at all. 

 

(!) Note, you have to do this for Firefox as well if you use it in your environment: In the browser and via Intune.

 

Best regards,

Dylan

 

Resources