Share via

MFA Authentication Strength re-prompting for MFA registration

Jack Baxter 0 Reputation points
2024-06-14T10:39:29.57+00:00

We have a Conditional Access policy to prompt users for MFA every time they use the Azure VPN. This prompts for their password and then a Microsoft Authenticator notification.

We would like to remove the need for users to enter their password but keep some form of MFA. I recently saw the "Require Authentication Strength" option in the CA policy and decided to test this. I created a custom Authentication Strength to prompt for Windows Hello (which all users have set-up and use for daily logins) plus the Authenticator code and applied this to a separate CA policy applied only to myself.

When testing this not only am I still asked to enter my password, but I now get taken to an MFA registration page despite having Authenticator set-up on 2 phones plus a mobile number configured as a backup.

Is there something i'm missing to get these new MFA requests working in the CA policy?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 1,665 Reputation points Microsoft Employee Moderator
    2024-06-17T23:41:21.1733333+00:00

    Hi @Jack BaxterThanks for reaching out to Microsoft Q&A.

    The Conditional Access feature is applied as an authorization after the first authentication step (user + password), which means that it can be used to grant or block access to an application based on the type (strength) of the authentication method, butyou can't configure the passwordless sign in using CA policy only.

    The doc below has more information about passwordless authentication:

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless

    Another important thing is that the application must support a passwordless method. The link below contains a table with more information about the methods available and their differences

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#choose-a-passwordless-method

    Thanks,

    Fabio

    0 comments
  2. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-06-18T00:23:16+00:00

    Hi @Jack Baxter ,

    In the Authentication Strength settings, you can set the strength to passwordless authentication strength as detailed here. https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-authentication-strength-external

    If you have a passwordless method enforced via Conditional Access, the users can still go username + password initially, but are now required to do a passwordless auth after that. (They can also just select the "Sign-in options" and select Windows Hello.

    If you still see users prompted for password after enforcing passwordless, you can check the conditional access sign-in logs to validate what is getting applied.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.