Forum Discussion

Eddie78723's avatar
Eddie78723
Copper Contributor
Apr 17, 2020

MFA Shows Disabled, But Being Used

When I visit Azure Active Directory -> Users -> Multi-Factor Authentication, our initial accounts show "Multi-Factor Auth Status" as "Disabled", but we are seeing MFA prompts.  I find it confusing th...
Authentication
Germaum's avatar
Germaum
Brass Contributor
Try this:
1. Go to https://portal.azure.com
2. Use the search bar on the upper middle part of the page and search of "Azure Active Directory".
3. Under Azure Active Directory, search for Properties on the left-hand panel. It is in-between of User Settings and Security.
4. Under the Properties, click on Manage Security defaults.
5. Under the Enable Security defaults, toggle it to NO.
6. Wait for few minutes for propagation then try to sign-in using InPrivate or Incognito.

Let me know what will happen.
Eddie78723's avatar
Eddie78723
Copper Contributor
Apr 18, 2020

Germaum 

 

Yes, our tenant space is setup to use the security defaults as mentioned on this page https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults. If you turn off Security Defaults, the multi-factor authentication page still shows that no accounts have MFA setup, even though they are setup for MFA.  It really seems like when Security Defaults was implemented they must have setup things to ignore the existing MFA settings altogether.  I would really like to see that MFA is turned on for a user whether using the fancy Conditional Access that I am reading about or Security Defaults.

 

 

  • PeterRising's avatar
    PeterRising
    MVP
    Apr 18, 2020

    Eddie78723 

     

    Have you turned the security defaults off now?  If so, it may take a while for the settings to take effect throughout your tenant.

     

    Once you can verify that these settings are no longer applying, I'd recommend using Conditional Access Policies for MFA instead of relying on the Security defaults as these apply blanket settings.  You can find this at https://portal.azure.com under Azure Active Directory > Security > Conditional Access.

     

    You will see some Baseline policies there.  Don't enable those as they also apply blanket settings, and they are due to be deprecated.  I'd highly suggest you create your own CA Policies.  I'd recommend at the minimum a policy to require MFA for all privileged admin roles, but don't forget to exclude your permanent break glass account(s) from this policy as you don't want to get locked out.

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Apr 18, 2020
    If you have enabled Security Defaults, the Multifactor Authentication page will always show MFA as displayed.

    This MFA page (often referred to as Office 365 MFA), is the old way of implementing MFA.

Resources