MFA and SSPR - Account status not changing from Enabled to Enforced even after registration

Question

Hey Everyone,

I have my users enabled for SSPR and Combined MFA/SSPR (AD Groups in Azure console) and MFA (MFA console)

They then login to a modern app and go thru the registration fine.

The problem is that on the MFA Console they are still showing as Enabled and does not change to Enforced.

From PowerShell I see that the user has Authentication Methods enrolled.

Is this expected because SSPR does not provide an App Password like normal MFA enrolment does?
Or could it be that the users registered for SSPR and then later they were enabled for MFA?

Thanks M

Answer 1

It sounds like this is because the users had MFA re-enabled at some point after their initial registration, as you mentioned. The documentation says, "If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. The administrator must move the user directly to Enforced.:

I don't think it would be because the app password isn't created, since the documentation also says, "If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state."

This would indicate to me that as long as they either re-register or complete the registration when the MFA is initially enabled, the status should change to Enforced.