Some users repeatedly prompted for MFA

Copper Contributor

All our devices are Intune joined.

MFA turned on with a conditional access policy:

  • Grant Access to: Require multifactor authentication;
  • Session only configured Sign in frequency: x days.

When majority users sign in apps without any issue, and only required to re authenticated with MFA after the defined x days.  We have a small group of users are asked to MFA every time they opens a new app.

 

Intune indicates these users' computers "Compliant".   However, 

Entra - Monitoring - Signin logs shows:

james3149_0-1725423558682.png

The same monitoring for other users, Authentication Details are "previously satisfied'.  For these users, even they are working on the same app on a desktop, they are still returned with "Mobile app notification" and therefore are asked to MFA:

james3149_1-1725423682705.png

 

 

DSREGCMD /status returns some different Diagnostic Data  results to other devices without MFA issues: Last HostName Update : NONE.

*********************************************************************

 

+----------------------------------------------------------------------+

| Device State                                                         |

+----------------------------------------------------------------------+

 

             AzureAdJoined : YES

          EnterpriseJoined : NO

              DomainJoined : NO

           Virtual Desktop : NOT SET

               Device Name : [COMPUTER_NAME]

 

+----------------------------------------------------------------------+

| Device Details                                                       |

+----------------------------------------------------------------------+

 

                  DeviceId : [COMPUTER_ID]

                Thumbprint : [COMPUTER_THUMBPRINT]

DeviceCertificateValidity : [ 2023-08-05 04:25:23.000 UTC -- 2033-08-05 04:55:23.000 UTC ]

            KeyContainerId : [COMPUTER_KEYCONTAINERID]

               KeyProvider : Microsoft Platform Crypto Provider

              TpmProtected : YES

          DeviceAuthStatus : SUCCESS

 

+----------------------------------------------------------------------+

| Tenant Details                                                       |

+----------------------------------------------------------------------+

 

                TenantName : [TENANTNAME]

                 ...

                 ...

                 ...

 

+----------------------------------------------------------------------+

| User State                                                           |

+----------------------------------------------------------------------+

 

                    NgcSet : NO

           WorkplaceJoined : NO

             WamDefaultSet : YES

       WamDefaultAuthority : organizations

              WamDefaultId : https://login.microsoft.com

            WamDefaultGUID : [...] (AzureAd)

 

+----------------------------------------------------------------------+

| SSO State                                                            |

+----------------------------------------------------------------------+

 

                AzureAdPrt : YES

      AzureAdPrtUpdateTime : 2024-09-03 23:32:02.000 UTC

      AzureAdPrtExpiryTime : 2024-09-17 23:32:01.000 UTC

       AzureAdPrtAuthority : [...] 

             EnterprisePrt : NO

    EnterprisePrtAuthority :

                 OnPremTgt : NO

                  CloudTgt : YES

         KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

 

+----------------------------------------------------------------------+

| Diagnostic Data                                                      |

+----------------------------------------------------------------------+

 

        AadRecoveryEnabled : NO

    Executing Account Name : AzureAD\[USERNAME], [USEREMAILADDRESS]

               KeySignTest : PASSED

 

        DisplayNameUpdated : Managed by MDM

          OsVersionUpdated : Managed by MDM

           HostNameUpdated : YES

 

      Last HostName Update : NONE

 

+----------------------------------------------------------------------+

| IE Proxy Config for Current User                                     |

+----------------------------------------------------------------------+

 

      Auto Detect Settings : YES

    Auto-Configuration URL :

         Proxy Server List :

         Proxy Bypass List :

 

+----------------------------------------------------------------------+

| WinHttp Default Proxy Config                                         |

+----------------------------------------------------------------------+

 

               Access Type : DIRECT

 

+----------------------------------------------------------------------+

| Ngc Prerequisite Check                                               |

+----------------------------------------------------------------------+

 

            IsDeviceJoined : YES

             IsUserAzureAD : YES

             PolicyEnabled : NO

          PostLogonEnabled : YES

            DeviceEligible : YES

        SessionIsNotRemote : YES

            CertEnrollment : none

              PreReqResult : WillNotProvision

**************************************************************************

 

Can someone help here and shade some light on the issue.

 

2 Replies

Troubleshooting step took:

I excluded affected users from the "MFA conditional policy".  This morning these users signed in without promoted for MFA anymore.  Therefore, the policy affect the behaviour is the "MFA conditional policy".  Any other MFA related policy wouldn't trigger MFA at all or MFA repeatedly.

 

In this "MFA conditional policy", we apply to all cloud apps, any devices without exclusions.

 

Seems to me the issue could be devices related.  May be some devices are "not compliant" and "not managed"?

james3149_0-1725497721121.png

 

It is not an user related issue. I have one affected user work on to a different computer. The user was only asked for MFA on the first day. The frequency settings worked for the user on a different computer.

 

I focus on the device investigation, and noticed majority affected users were working on Device Compliance "Error" computer.

james3149_0-1726119514406.png

james3149_1-1726119559640.png

 

Some of them may also have Antivirus error.

However, even I run sync, turn on and off firewall to force the device resync for the new changes, even successfully turned error to green compliant, the user still have to MFA every time opens SharePoint.

 

Hope someone can help on the issue.