@kkempf Hi, I will assist you
It sounds like you’re dealing with a situation where MFA (Multi-Factor Authentication) isn’t being enforced as expected despite having a conditional MFA policy in place. Let’s troubleshoot this issue step by step:
Verify the Conditional Access Policy:
- Confirm that the conditional MFA policy is correctly configured. You can do this by checking the policy settings in the Microsoft Entra admin center.
- Ensure that the policy is targeting the correct users, devices, and applications.
User Exclusions:
- Conditional Access policies are powerful but can sometimes exclude certain accounts unintentionally. Make sure the following accounts are excluded from your policies:
- Emergency access or break-glass accounts: These accounts prevent tenant-wide account lockout. If all administrators are locked out, an emergency-access administrative account can be used to recover access.
- Service accounts and service principals: These non-interactive accounts (like Microsoft Entra Connect Sync Account) should be excluded since MFA can’t be completed programmatically. Calls made by service principals won’t be blocked by Conditional Access policies scoped to users.
- Consider replacing service accounts with managed identities if possible.
Application Exclusions:
- Some applications might not require equal security. You can exclude specific applications from your policy.
- If you’re using Subscription Activation to enable users to “step-up” from one version of Windows to another, exclude the Universal Store Service APIs and Web Application (AppID: 45a330b1-b1ec-4cc1-9161-9f03992aa49f) and Windows Store for Business (AppID: 45a330b1-b1ec-4cc1-9161-9f03992aa49f) from your Conditional Access policies.
MFA Registration Policy:
- Configure the MFA registration policy to ensure that users register authentication methods (like the Microsoft Authenticator app) before they can respond to MFA prompts.
- In the Microsoft Entra admin center:
- Go to Protection > Identity Protection > Multifactor authentication registration policy.
- Set Policy enforcement to Enabled.
- Save the changes.
- Users will be prompted to register the next time they sign in interactively, and they’ll have 14 days to complete registration.
- After this period, they must register before completing the sign-in process.
Existing Tokens:
- Sometimes existing tokens need to be revoked after enabling MFA. This ensures that all users are required to register for multifactor authentication.
- As part of enabling security defaults, administrators should revoke all existing tokens.
User Experience:
- Keep in mind that during the 14-day registration period, users can bypass registration if MFA isn’t required as a condition. However, at the end of the period, they’ll be required to register before completing sign-in.