I've recently had my account compromised and have since reset everything, including revoking and re-registering my Multi-Factor Authentication (MFA) methods. I also updated to a new password. However, even when using Incognito mode to access Outlook.com, I'm not being prompted for MFA. I've checked Entra but didn't find anything unusual. I even set MFA to 'enforce' for good measure, but nothing changed. What could be going wrong?
2 Answers
I don't have any CAPs set up yet because I'm in the process of upgrading to Premium for that feature. I've disabled SSPR and completely reset all MFA methods except for the Microsoft Authenticator, since I specifically want to use number matching for security. I think the problem might be related to the fact that the user was phished for their password as well as the MFA token.
Have you switched over to the Combined MFA and Self-Service Password Reset (SSPR) methods? You can find this in the Authentication methods section. Also, check your Conditional Access Policies (CAPs). Do you have any trusted IP ranges that might be excluded from MFA? That could be why you’re not seeing the prompts.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads