Security defaults does not "enforce" MFA for regular user accounts, so that's the expected behavior. User will be asked to register their MFA details and complete the MFA challenge when accessing specific resources (generally speaking those considered "sensitive"), but not for all. It's explained in the official documentation: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#protecting-all-users
If you want to enforce MFA and have a matching Office 365 licenses, you can do so via the "old" per-user MFA controls: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365
Office 365 not prompting for MFA with Security Defaults enabled in Azure AD
I have experienced MFA is not being prompted for our users when they access Office 365 applications e.g. office.com, outlook application etc.
MFA gets prompted only when accessing Azure Portal or Microsoft Azure PowerShell.
We have tried logging in with different users and different IPs as well - it just lets users pass through the applications without requiring MFA.
We have Security Defaults enabled for our tenant.
I have also seen similar case reported but Microsoft haven't responded on that as well: https://learn.microsoft.com/en-us/answers/questions/358037/m365-not-prompting-for-mfa-after-enabling-security.html
1 answer
Sort by: Most helpful
-
Vasil Michev 95,341 Reputation points MVP
2021-11-03T13:11:22.977+00:00