Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Mfa setup - Users avoid the mfa setup

Hi,

We have setup Conditional access MFA for Users and some are not setup the mfa and still can work in outlook client (we have exhange online).

We have P1 license

How can we force them through the Mfa setup and not avoid it.

And is there any method to send them a reminder mail to go to the mfa setup page.

Thanks.

3 REPLIES 3
Microsoft

If MFA is enforced using normal CA rules, they can not avoid it. Only if you have P2 or Security Defaults there would be an option to skip registration for up to 14 days. 

Did you check in the sign-in logs if the CA rules where even applied? Or did you verify in the sign-in logs that the users are really not using MFA? Because Outlook would not prompt every time for MFA when modern auth. is enabled

Kind regards,
Janosch
Level 1 Contributor

The problem is that if the device is hybrid Joined they will not be prompted for the Mfa. We are using CA with rules. the rules are applied with error, but they can still use outlook client. 

 

Microsoft

OK, if they are hybrid joined it might be that they are in fact doing MFA, but the user won't recognize this. See here for info how the PRT may include a MFA claim: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim

In the sign-in logs, in "authentication details" for a sign-in event, you would see a message like "MFA requirement fulfilled by claim in the token" which means that MFA was done - if the CA rule only requires MFA as control it would should as applied (as requirements are satisfied). However, this  would also mean users have in fact already done MFA registration.

 

Another cause, if you did verify (?) that user have not registered for MFA at all - did you configure the CA with "Require Hybrid Joined device" OR "Require MFA"? in this case you should set it to AND.

 

Kind regards,
Janosch