Mfa setup - Users avoid the mfa setup
We have setup Conditional access MFA for Users and some are not setup the mfa and still can work in outlook client (we have exhange online).
We have P1 license
How can we force them through the Mfa setup and not avoid it.
And is there any method to send them a reminder mail to go to the mfa setup page.
If MFA is enforced using normal CA rules, they can not avoid it. Only if you have P2 or Security Defaults there would be an option to skip registration for up to 14 days.
Did you check in the sign-in logs if the CA rules where even applied? Or did you verify in the sign-in logs that the users are really not using MFA? Because Outlook would not prompt every time for MFA when modern auth. is enabled
The problem is that if the device is hybrid Joined they will not be prompted for the Mfa. We are using CA with rules. the rules are applied with error, but they can still use outlook client.
OK, if they are hybrid joined it might be that they are in fact doing MFA, but the user won't recognize this. See here for info how the PRT may include a MFA claim: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim
In the sign-in logs, in "authentication details" for a sign-in event, you would see a message like "MFA requirement fulfilled by claim in the token" which means that MFA was done - if the CA rule only requires MFA as control it would should as applied (as requirements are satisfied). However, this would also mean users have in fact already done MFA registration.
Another cause, if you did verify (?) that user have not registered for MFA at all - did you configure the CA with "Require Hybrid Joined device" OR "Require MFA"? in this case you should set it to AND.