I'm facing an issue with Entra ID Free where MFA isn't required for all logins. I've enabled security defaults, and MFA is set up for the users who have an Exchange Online P1 license. Despite this, when users log into Outlook.com from a new device or different location, they can log in with just their email and password—no MFA prompt. However, if they try to change their security settings, then MFA is requested. What steps do I need to take to ensure that MFA is always required during the login process? I haven't checked other Microsoft services yet, but I'm curious if the same issue exists there.
3 Answers
Just a heads up, Microsoft often doesn't prompt for MFA unless they detect suspicious activity during sign-in—so if your session looks normal, it might skip the MFA step. That's part of the security defaults.
You might need to set up a conditional access policy that enforces MFA in certain scenarios. Unfortunately, with the Exchange Online P1 license, you won't have access to that feature, which may be why MFA isn't triggering as you'd expect.
Check the admin panel; there’s a Multifactor Authentication option that can enforce MFA setup for users. However, be aware that this feature might be phased out in the future as per Microsoft’s updates.
Yes, I read that it’ll be disabled by September 2025. So you’d need to transition to Microsoft security defaults or upgrade licensing for conditional access.
That's a bummer! I really thought that'd be a straightforward fix. It seems like intended behavior given the licensing limitations.