Share via

Microsoft Authentication Broker showing Single-Factor Authentication with Conditional Access "Not Applied" despite MFA policy enforced for all users

Abdulkareem Saad 0 Reputation points
2026-04-28T20:15:45.0066667+00:00

Hi,

I have a Conditional Access policy applied to all users in our tenant that enforces MFA for all sign-ins. When reviewing the Interactive Sign-In logs in Microsoft Entra ID, I noticed that sign-ins from the Microsoft Authentication Broker application are showing:

  • Authentication Requirement: Single-factor authentication
  • Conditional Access Status: Not Applied

While all other applications (e.g., Microsoft Teams) correctly show CA status as Success and authentication as Multifactor.

My questions are:

  1. Why is Conditional Access showing "Not Applied" for Microsoft Authentication Broker sign-ins specifically?
  2. Why does it show Single-Factor Authentication when MFA is enforced for all users?
  3. Is this expected behavior by Microsoft's design, and if so, where is this documented?

Tags: Microsoft Entra ID, Conditional Access, MFA, Authentication Broker, Sign-in LogsHi,

I have a Conditional Access policy applied to all users in our tenant that enforces MFA for all sign-ins. When reviewing the Interactive Sign-In logs in Microsoft Entra ID, I noticed that sign-ins from the Microsoft Authentication Broker application are showing:

  • Authentication Requirement: Single-factor authentication
  • Conditional Access Status: Not Applied

While all other applications (e.g., Microsoft Teams) correctly show CA status as Success and authentication as Multifactor.

My questions are:

  1. Why is Conditional Access showing "Not Applied" for Microsoft Authentication Broker sign-ins specifically?
  2. Why does it show Single-Factor Authentication when MFA is enforced for all users?
  3. Is this expected behavior by Microsoft's design, and if so, where is this documented?
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sridevi Machavarapu 30,535 Reputation points Microsoft External Staff Moderator
    2026-04-28T20:29:31.7733333+00:00

    Hello Abdulkareem Saad,

    Yes, this is expected behavior in Microsoft Entra ID.

    Microsoft Authentication Broker supports apps like Microsoft Teams and Microsoft Outlook with sign-in, token handling, and single sign-on. It is not usually the application where Conditional Access is enforced.

    Because of this, broker sign-ins may show:

    Authentication Requirement: Single-factor authentication Conditional Access Status: Not Applied

    This does not mean MFA was bypassed.

    Conditional Access is typically evaluated on the target application such as Teams, SharePoint, or Exchange Online. If MFA was already completed through Primary Refresh Token (PRT), device compliance, or a previous sign-in, the broker event can still appear as single-factor.

    That is why Teams may show Conditional Access: Success and Multifactor authentication, while Microsoft Authentication Broker shows Not Applied.

    This is expected by design.

    To confirm MFA enforcement, review the sign-in log of the target application rather than relying only on the broker sign-in event.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.