I've been working on an issue with our shared TV PC that uses an EntraID login. We're currently using Conditional Access policies where we want to enforce MFA for all users, but we're trying to exclude this specific account. We've also restricted logins to our office IP for this account. However, even with these conditions set, the sign-in logs indicate that the Conditional Access policies aren't applying, and the account is still being prompted for MFA enrollment every time it tries to log in. I've tested it on different browsers in incognito modes but the problem persists. Any insights on what might be enforcing MFA enrollment in this situation would be greatly appreciated!
3 Answers
It sounds like you might have Self-Service Password Reset (SSPR) enabled. If so, the registration flow for SSPR counts as part of MFA registration. To resolve this, go to Entra ID, then Account, and under Authentication Methods, add an email or phone number. Doing this generally clears the MFA registration interruption. Also, double-check that in the M365 Admin Centre, the MFA for this user isn't set to Enabled or Enforced in the Legacy per-user MFA settings.
Check if this account has any admin roles. Microsoft rolled out some new policies recently that might affect it. You may need to add an exception for this account. Also, note that MFA enrollment differs from MFA challenges, so you could consider exempting this account from the MFA enrollment policy (if that's still an option). If all else fails, you could manually enroll it for email MFA, sign out, and then test logging in with the TV setup.
Thanks for the advice! The account has no roles or privileges—it's pretty much a clean slate. I’ve excluded the enrollment policy even though it's not enabled. I don’t want to deal with MFA prompts since it’s for a meeting room. Still testing with the ideas you all provided!
Make sure to check your MFA registration policy and ensure that this particular account is excluded. You can find guidance on setting it up from Microsoft documentation.
Thanks! I checked, and the policy isn’t enabled. I've added the account to the exclusions just in case. I'll keep looking to see if that helps.
I added an email to the Authentication Methods. Fingers crossed that works! I've confirmed that the Legacy MFA setting is Disabled, and the sign-in logs show no Conditional Access policies applying.