This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 18%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
Hello- I am deploying new Windows 11 laptops to my users. The new laptops are being joined to Entra and simultaneously being joined to inTune. For 2FA, I am using a single Conditional Access policy that is set to Require Authentication Strength of Multifactor Authentication. All users in the organization are included in the policy. In order to setup new PCs for users that are not onsite to verify their 2FA credential, I am adding the users, temporarily, to the Excluded Users in the Conditional Access policy. However, those does not seem to function. I am still being prompted for 2FA. Security Defaults and legacy MFA are disabled for the organization. Please advise.
p.s. It is outrageous that Microsoft requires a paid subscription to for Azure when THEIR service is not functioning properly.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Use the WhatIf functionality of Entra ID CA to validate your setup.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool
Btw. you might want so also keep in mind that MFA is becoming mandatory
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
I am quite aware that MFA is becoming mandatory. However, IT companies, including Microsoft, need to understand that there are times when it is necessary to disable the MFA requirement for a short period of time. I am trying to setup a user laptop and the user is unavailable to answer the second factor.
Thank you for the suggestion with regard to the WhatIF function. It showed one policy with regard to disabling legacy authentication. It made no difference with regard to the issue. The user is still being prompted for 2FA despite being explicitly excluded from the policy.
The 2FA must be coming from elsewhere in the Microsoft ecosystem though I am not certain where. Legacy MFA and Security Defaults are disabled for the tenant.
Yep - agreed - that's essentially what Conditional Access is meant to provide.
You might want to review sign-in logs - these should provide some clues regarding the behavior you're seeing
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
Require Multifactor Authentication to register or join devices with Microsoft Entra
in Entra is also set to disabled.
Create device policy in inTune to disable Windows Hello for Business. Same issue. Will review sign in logs next. Thanks