I'm facing a strange situation where some of my users are being asked to register for Multi-Factor Authentication (MFA) when they try to log into Teams and OneDrive. I don't have any tenant-wide MFA settings enabled, no Conditional Access Policy that would require MFA for these users, and the logs indicate there's no policy being applied that targets them. They're not part of any MFA registration campaigns, and their MFA settings are turned off per user. I even created a Conditional Access Policy to exclude them from MFA for all resources, but that didn't help. Can anyone help me figure out why they're still being prompted for MFA?
3 Answers
Are you using the new authentication methods policies? Sometimes those can cause unexpected prompts for MFA even without the usual conditions applied.
There’s a recent rollout where MFA is becoming mandatory for Azure users in phases. Starting this October, certain users will need MFA to log into the Azure portal and related services. However, these changes are mostly focused on Azure admin access and might not apply directly to standard Microsoft 365 users. Just a heads up!
Exactly! This rollout pertains to Azure portals and doesn't directly affect M365 Cloud Apps. I work in a school and enforcing MFA for younger students is a big challenge. I even set up a Conditional Access Policy to exclude them, but they’re still being prompted to register.
It’s likely due to an MFA registration campaign that might be set up within your tenant. Even if there’s no active CA policy, having a registration campaign could lead to users being prompted to enroll in MFA. Make sure to exclude them from any ongoing campaigns.
We have conditional access policies and made sure to include that user in the 'exclude' list from MFA, but they are still being asked to set it up.