cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating MFA conditional Policy, not triggering to enroll when signing in.

William Lampert
Brass Contributor

‎Mar 26 2024 01:09 PM

‎Mar 26 2024 01:09 PM

Creating MFA conditional Policy, not triggering to enroll when signing in.

We're looking to rollout MFA for all our users, specifically just for any access to their Exchange Online and Microsoft Teams. I've followed the the instructions from Microsoft's Knowledge article: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa

What I have setup:

 

New Conditional Access Policy (MFA Pilot):

Users > At the moment just including a specific group that i have my test users part of.

Target Resources > Cloud Apps > Office 365 Exchange Online & Microsoft Teams

Conditions > Client Apps > Enabled and checked all "Modern authentication clients" options (Browser/Mobile app and desktop clients/Legacy authentication clients/Exchange ActiveSync clients/Other clients)

Grant > Grant Access > Require multifactor authentication (Enabled)

 

Under Protection > Authentication Methods

  • Microsoft Authenticator (Enabled) > Authentication Mode: Any

    • Only Targeting the group my test users are in.

From my understanding with all of that enabled and set, when an account that is currently not setup for MFA yet, once they log into anything Exchange Online (or just signing into office.com for the first time) should trigger to get enrolled and register for the first time.

 

I've set these and its been about 2 hours and when i use one of my test accounts and log into office.com with it on a different machine, it still just normally logs in and doesn't trigger to enroll into MFA.

 

Help!

266 Views
0 Likes
2 Replies
Reply
2 Replies
Vasil Michev

‎Mar 27 2024 02:16 AM

‎Mar 27 2024 02:16 AM

Re: Creating MFA conditional Policy, not triggering to enroll when signing in.

The Office.com is a separate "app" and doesn't fall within the scope of your policy. Get the user to login to OWA instead. Or better yet, remove those conditions, you should protect all cloud apps and client types with MFA.
0 Likes
Reply
tlakshmanan

‎Mar 27 2024 02:17 AM

‎Mar 27 2024 02:17 AM

Re: Creating MFA conditional Policy, not triggering to enroll when signing in.

Hello,

Even if end users are not registered for MFA, the Conditional Access Policy (CAP) should prompt them to register for MFA to access the resource.

In your scenario, have you checked the sign-in logs to confirm if the CAP is being applied? Additionally, have you tested the "What if" functionality under Conditional Access Policy to evaluate your newly created policy?

Reference: https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool
0 Likes
Reply