Excluding user to MFA with conditional access

Copper Contributor

Im having some issues with excluding users from MFA with conditional access. The user what im trying to exclude is an functional account. But the thing is, this account is both in the including and excluding part of this setting, because the user is member of the Azure group where all users are in.

 

With this configuration, the user is still getting promped for MFA registration when login into Office365. So the exclusion doesnt seem to override the inclusion option.

 

Do i need to remove this user from the Azure group where all users are members from, or is there another solution for this?

8 Replies
Exclusion overrides inclusion policy. I will suggest to validate the CA policies against the user in question using the what if tool and also analyse the sign in logs.
Im not sure what you mean with the what if tool. I checked the sign in logs in Azure and it says Single-factor authentication on the Basic info tab. On the Conditional Access tab is no info displayed. It only says Not applicable. The authentication Details is also empty with no information.

I just logged in with this account, and i'm still getting a MFA registration prompt in Office365.

Thanks for the link. I've been able to use the What if option. It seems that the CA policies are not applied because of Users and Groups. Why's that? The state of the policies are set to On.
Not applied could also mean that the user is being excluded. Is it the same in Azure sign-in logs? Is the issue only with 1 CA policies or all? Are you licensed for CA?
The user is member of 2 Azure groups, where one is included and one excluded. And i want the user to be excluded. Microsoft says exclusion will override inclusion. So the user should be excluded now.

There are multiple CA policies that are not applied. All of them, except 'only Block access for unknown or unsupported device platform' is applied.

I see that the Azure Active Directory subscription is active.
Any way you can share details on the sign-in logs for the UPN in question? Otherwise the only other option will be to open a case with MS support.

@rahuljindal-MVP In the sign in logs i see Conditional Access Not Applied, Authentication method Single factor authentication.