Forum Discussion
Solved
MFA says enabled but user is using MFA
My understanding was that if O365 said that MFA was enabled for a user then that user would be required to register for MFA and, once they completed that process, their status would change from enabled to enforced.
I just noticed a user with a status of enabled who has been signing in for months with MFA. Every signin says the Authentication Requirement is Multifactor Authentication.
Why does his status not say enforced?
- That's likely because the user is on a Azure AD joined device and leveraging the PRT to login - this method always counts as second-factor.
4 Replies
- Enabled/enforced only applies to the old per-user MFA controls. If MFA is being enforced via CA policy (or anything else), the user will have to complete MFA challenge regardless of what the per-user status is. Checking the details within the Azure AD sign-in logs entry will give you a clue as to why MFA was required.
- There are no Conditional Access policies for MFA so, if the requirement isn't coming from the "old per-user" controls, which is where I thought it was always coming from, then where else could it come from?
I don't see much difference between this user's sign-in logs and others. However, it does say that he uses Windows Hello for Business and others don't.- That's likely because the user is on a Azure AD joined device and leveraging the PRT to login - this method always counts as second-factor.
