I'm having a tough time with my Conditional Access multi-factor authentication (MFA) setup for Microsoft. I think it might be linked to a policy I previously created for Microsoft Secure Score that enforced a phishing-resistant MFA strength for administrators. However, I deleted that policy weeks ago, and now MFA isn't being applied consistently for all users, which I only discovered due to a support ticket from one of them.
When I enable Microsoft's built-in MFA for admins, it works perfectly, but with the policies set up by our organization, users can log in without any MFA prompts. Here's a quick overview of my configuration:
- **Users:** All users except for two service groups and some service accounts.
- **Target Resources:** All resources (no exclusions).
- **Network:** Any network (no exclusions).
- **Conditions:** User risk and sign-in risk were enabled but I've turned them off, and the policies still aren't applying.
- **Grant:** MFA was set to required. I also tried the 'Require authentication strength' option, but that didn't work either.
- **Session:** Set to 30 days.
I've tested both with my admin account and a regular user account, and neither prompts for MFA. This is really confusing, especially since the built-in option for administrators works fine. Could an old deleted policy be causing this issue?
5 Answers
Have you checked your licensing setup? Sometimes, licensing issues can block certain MFA operations. Just something to look into along with all the other settings you've been adjusting.
It sounds like a tricky situation! I've noticed similar strange behaviors where some applications seem to override more secure settings with looser ones. You might want to check if there are any conflicting policies that could undermine your MFA settings. I've also had instances where it felt like I wasn't prompted for sign-ins even though I was supposed to. Tickets can help, but sometimes you just have to wait for Microsoft to clarify if there's a larger issue at play.
When troubleshooting, I like to create a simple new policy targeting a test account just to see if MFA is triggered. Start basic and gradually add your other settings while testing each time. Also, using an incognito window for testing can reveal if any cached states are interfering with your logins.
Policies shouldn't clash unless there are overriding factors at play. If you've deleted one and it's still causing issues, there might be residual settings. I’d suggest setting up new policies in report-only mode first. This way, you can test everything thoroughly before enabling them and ditching the old policies altogether. Using the "What If" feature in the CA tab can help you see how your settings behave during different scenarios.
Have you checked your sign-in logs? They can provide clues on why a specific policy was or wasn’t applied. Also, remember that once a user passes an MFA challenge, their browser may carry that token for other services and won't ask for MFA again for a while. It's all about finding those details that might be hiding in plain sight.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures