Home

Conditional Access Policy / MFA - Bypass

%3CLINGO-SUB%20id%3D%22lingo-sub-69651%22%20slang%3D%22en-US%22%3EConditional%20Access%20Policy%20%2F%20MFA%20-%20Bypass%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69651%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20been%20testing%20some%20conditional%20access%20policies%20requiring%20MFA%20when%20a%20user%20is%20off%20premise.%20One%20of%20our%20test%20users%20accidentaly%20removed%20the%20Microsoft%20Authenticator%20from%20their%20mobile%20device%2C%20and%20unfortunately%20we%20can't%20re-enroll%20a%20new%20mobile%20device%20as%20the%20access%20policies%20require%20MFA.%20I've%20tried%20using%20the%20one-time%20bypass%20in%20the%20Microsoft%20MFA%20port%20within%20the%20classic%20portal%2C%20but%20it's%20not%20working.%20Is%20that%20the%20only%20way%20to%20provide%20a%20one%20time%20bypass%20to%20a%20user%3F%20Is%20there%20another%20way%20to%20re-enroll%20the%20user%20in%20MFA%3F%20We%20eventually%20just%20removed%20them%20from%20the%20conditional%20access%20policy%20as%20a%20work%20around%20right%20now.%20But%20looking%20for%20options.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESteve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-69651%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-69740%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policy%20%2F%20MFA%20-%20Bypass%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-69740%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20always%20reset%20his%20MFA%20status%2C%20forcing%20him%20to%20go%20over%20the%20%22enablement%22%20process%20and%20register%20the%20new%20device.%20If%20you%20mean%20that%20the%20network%20restrictions%20are%20causing%20this%20process%20to%20fail%2C%20add%20the%20IP%20address%20temporary%20or%20exclude%20the%20user%20from%20the%20conditional%20access%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Steve Goett
Occasional Visitor

We have been testing some conditional access policies requiring MFA when a user is off premise. One of our test users accidentaly removed the Microsoft Authenticator from their mobile device, and unfortunately we can't re-enroll a new mobile device as the access policies require MFA. I've tried using the one-time bypass in the Microsoft MFA port within the classic portal, but it's not working. Is that the only way to provide a one time bypass to a user? Is there another way to re-enroll the user in MFA? We eventually just removed them from the conditional access policy as a work around right now. But looking for options. 

 

Thanks, 

 

Steve

1 Reply

You can always reset his MFA status, forcing him to go over the "enablement" process and register the new device. If you mean that the network restrictions are causing this process to fail, add the IP address temporary or exclude the user from the conditional access policy.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies