Home

Users Not Enabled for MFA still being asked to use it

%3CLINGO-SUB%20id%3D%22lingo-sub-63707%22%20slang%3D%22en-US%22%3EUsers%20Not%20Enabled%20for%20MFA%20still%20being%20asked%20to%20use%20it%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63707%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20bunch%20of%20users%20in%20my%20Tenant%2C%20and%20only%20oe%20of%20them%20(me)%20is%20enabled%20for%20MFA%2C%20as%20you%20can%20see%20in%20the%20attached%20image.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20when%20any%20of%20the%20other%20users%20in%20my%20tenant%20login%20to%20Office%20365%2C%20they%20are%20asked%20to%20enter%20the%20code%20sent%20to%20their%20mobile%20phone%2C%20which%20means%20they%20obviously%20enrolled%20for%20it%20at%20some%20point%2C%20but%20they%20are%20now%20totally%20disabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20checked%20all%20the%20settings%20for%20MFA%20in%20my%20tenant%20for%20users%20and%20also%20check%20in%20Azure%20AD%2C%20and%20everything%20says%20they%20are%20disabled%2C%20even%20PowerShell%20commands%20tell%20me%20they%20are%20disabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20have%20I%20missed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-63707%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63900%22%20slang%3D%22en-US%22%3ERe%3A%20Users%20Not%20Enabled%20for%20MFA%20still%20being%20asked%20to%20use%20it%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63900%22%20slang%3D%22en-US%22%3E%3CP%3EMFA%20can%20also%20be%20enforced%20via%20AD%20FS%2C%20independent%20of%20the%20settings%20in%20the%20Azure%20MFA%20portal.%20Perhaps%20you%20are%20in%20federated%20scenario%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20than%20that%2C%20Conditional%20access%20can%20be%20enforced%20on%20Azure%20AD%2C%20but%20that%20requires%20enablement%20and%20licensing%2C%20so%20I%20guess%20should%20not%20be%20the%20case%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi,

 

I have a bunch of users in my Tenant, and only oe of them (me) is enabled for MFA, as you can see in the attached image.

 

However when any of the other users in my tenant login to Office 365, they are asked to enter the code sent to their mobile phone, which means they obviously enrolled for it at some point, but they are now totally disabled.

 

I've checked all the settings for MFA in my tenant for users and also check in Azure AD, and everything says they are disabled, even PowerShell commands tell me they are disabled.

 

What have I missed?

1 Reply

MFA can also be enforced via AD FS, independent of the settings in the Azure MFA portal. Perhaps you are in federated scenario?

 

Other than that, Conditional access can be enforced on Azure AD, but that requires enablement and licensing, so I guess should not be the case here.