SOLVED

MFA registration is asked even if it is set off everywhere

Occasional Contributor

Hello

 

I have a user, that had previously MFA set up. I removed the MFA method from his settings.

 

When he logs in, he got's a prompt to set up MFA.

PekkaPek_0-1646384731877.png

MFA is disabled per user. And there is not conditional access policy or security defaults enabled.

 

My question is, how to disable this promt and MFA entirely for this user.

 

Regards,

Pekka

7 Replies

Hello @Pekka-Pek. So few things to check, is this a recent tenant with Security Defaults enabled? This may enforce MFA in certain cases. If Security Defaults is not enabled, and no Conditional Access policy exists that forces MFA, the only other option I can think of is the per user MFA setting. Once it is enabled for a user, it will turn to "enforced", and could cause the user to now be prompted continuously. When changing the per-user MFA, there's actually a 'disable' option, have you tried this?

 

pvanberlo_0-1646385161475.png

 

 

@Pekka-Pek,

Supplement on top of @pvanberlo, you can make sure the setting from the Azure AD admin center where can redirect from O365 Admin Center.

Link Reference:
https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/982013

@pvanberlo thank you for the suggestions.

 

To me it seems that the per user MFA is turned off for this specific user.

PekkaPek_0-1646401905185.png

 

Regards,

Pekka

I would check what the output is using PowerShell and if necessary remove the StrongAuthenticationRequirement there.

Get-MsolUser -UserPrincipalName <username> | Set-MsolUser -StrongAuthenticationRequirements @()

Thanks for the quick reply. I checked it out right away, but it seems to be also empty.

 

PekkaPek_0-1646403040571.png

I also tried to toggle MFA required to enable and back to disabled state.

But the problem seems to prevail.

 

It also come to my mind that could the prompt come from self service password reset. I have to check that later, but it will go probably next week.

 

Regards,

Pekka

Ah yes. SSPR could also be causing such prompts.
best response confirmed by Pekka-Pek (Occasional Contributor)
Solution

Yes, seems that the issue is solved. SSPR was on for all users of the tenant.

 

I went on the registration prompts and set it up. After that the prompt has not been shown and still no MFA is required when logging in. I probably mixed MFA registration prompt and SSPR registration prompt. Sorry for the confusion and thank you for your helpful efforts! I hope this can help also others wondering the same thing.

 

Regards,

Pekka