MFA says enabled but user is using MFA

Iron Contributor

My understanding was that if O365 said that MFA was enabled for a user then that user would be required to register for MFA and, once they completed that process, their status would change from enabled to enforced.


I just noticed a user with a status of enabled who has been signing in for months with MFA. Every signin says the Authentication Requirement is Multifactor Authentication. 


Why does his status not say enforced?

4 Replies
Enabled/enforced only applies to the old per-user MFA controls. If MFA is being enforced via CA policy (or anything else), the user will have to complete MFA challenge regardless of what the per-user status is. Checking the details within the Azure AD sign-in logs entry will give you a clue as to why MFA was required.
There are no Conditional Access policies for MFA so, if the requirement isn't coming from the "old per-user" controls, which is where I thought it was always coming from, then where else could it come from?

I don't see much difference between this user's sign-in logs and others. However, it does say that he uses Windows Hello for Business and others don't.
best response confirmed by John Twohig (Iron Contributor)
That's likely because the user is on a Azure AD joined device and leveraging the PRT to login - this method always counts as second-factor.

@Vasil Michev 


Yes. He is one of the few users we have whose laptop is managed by Intune and Azure AD joined.