Creating MFA conditional Policy, not triggering to enroll when signing in.

Brass Contributor

We're looking to rollout MFA for all our users, specifically just for any access to their Exchange Online and Microsoft Teams. I've followed the the instructions from Microsoft's Knowledge article:

What I have setup:


New Conditional Access Policy (MFA Pilot):

Users > At the moment just including a specific group that i have my test users part of.

Target Resources > Cloud Apps > Office 365 Exchange Online & Microsoft Teams

Conditions > Client Apps > Enabled and checked all "Modern authentication clients" options (Browser/Mobile app and desktop clients/Legacy authentication clients/Exchange ActiveSync clients/Other clients)

Grant > Grant Access > Require multifactor authentication (Enabled)


Under Protection > Authentication Methods

  • Microsoft Authenticator (Enabled) > Authentication Mode: Any

    • Only Targeting the group my test users are in.

From my understanding with all of that enabled and set, when an account that is currently not setup for MFA yet, once they log into anything Exchange Online (or just signing into for the first time) should trigger to get enrolled and register for the first time.


I've set these and its been about 2 hours and when i use one of my test accounts and log into with it on a different machine, it still just normally logs in and doesn't trigger to enroll into MFA.



2 Replies
The is a separate "app" and doesn't fall within the scope of your policy. Get the user to login to OWA instead. Or better yet, remove those conditions, you should protect all cloud apps and client types with MFA.

Even if end users are not registered for MFA, the Conditional Access Policy (CAP) should prompt them to register for MFA to access the resource.

In your scenario, have you checked the sign-in logs to confirm if the CAP is being applied? Additionally, have you tested the "What if" functionality under Conditional Access Policy to evaluate your newly created policy?