Sep 04 2024 05:24 PM
All our devices are Intune joined.
MFA turned on with a conditional access policy:
When majority users sign in apps without any issue, and only required to re authenticated with MFA after the defined x days. We have a small group of users are asked to MFA every time they opens a new app.
Intune indicates these users' computers "Compliant". However,
Entra - Monitoring - Signin logs shows:
The same monitoring for other users, Authentication Details are "previously satisfied'. For these users, even they are working on the same app on a desktop, they are still returned with "Mobile app notification" and therefore are asked to MFA:
DSREGCMD /status returns some different Diagnostic Data results to other devices without MFA issues: Last HostName Update : NONE.
*********************************************************************
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Virtual Desktop : NOT SET
Device Name : [COMPUTER_NAME]
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : [COMPUTER_ID]
Thumbprint : [COMPUTER_THUMBPRINT]
DeviceCertificateValidity : [ 2023-08-05 04:25:23.000 UTC -- 2033-08-05 04:55:23.000 UTC ]
KeyContainerId : [COMPUTER_KEYCONTAINERID]
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName : [TENANTNAME]
...
...
...
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : [...] (AzureAd)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2024-09-03 23:32:02.000 UTC
AzureAdPrtExpiryTime : 2024-09-17 23:32:01.000 UTC
AzureAdPrtAuthority : [...]
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : AzureAD\[USERNAME], [USEREMAILADDRESS]
KeySignTest : PASSED
DisplayNameUpdated : Managed by MDM
OsVersionUpdated : Managed by MDM
HostNameUpdated : YES
Last HostName Update : NONE
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
**************************************************************************
Can someone help here and shade some light on the issue.
Sep 04 2024 06:00 PM
Troubleshooting step took:
I excluded affected users from the "MFA conditional policy". This morning these users signed in without promoted for MFA anymore. Therefore, the policy affect the behaviour is the "MFA conditional policy". Any other MFA related policy wouldn't trigger MFA at all or MFA repeatedly.
In this "MFA conditional policy", we apply to all cloud apps, any devices without exclusions.
Seems to me the issue could be devices related. May be some devices are "not compliant" and "not managed"?
Sep 11 2024 10:43 PM
It is not an user related issue. I have one affected user work on to a different computer. The user was only asked for MFA on the first day. The frequency settings worked for the user on a different computer.
I focus on the device investigation, and noticed majority affected users were working on Device Compliance "Error" computer.
Some of them may also have Antivirus error.
However, even I run sync, turn on and off firewall to force the device resync for the new changes, even successfully turned error to green compliant, the user still have to MFA every time opens SharePoint.
Hope someone can help on the issue.