This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 8%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
I have an account, in a tenant that has Security Defaults off. We have Conditional access enabled, but have excluded the user in question from MFA.
When I login via a Crestron Teams Panel (android based) it continues to ask for "additional info" to enroll in MFA every time it logs in.
When I login via an Incognito window it does not require MFA, or MFA enrollment.
Does anyone have any thoughts on this issue?
So what I found out was this was a setting in AAD under devices that required devices to ask for MFA to register with AAD.
Security Defaults being off do not turn this part off, but MS recommends using Conditional Access to enable it.
You can access it by going to Devices -> Device Settings in the AAD portal.
Please ensure that your Conditional Access policy is enabled for All cloud apps as seen below:
------------------------------
If this is helpful please accept answer.
I checked that and it was set for all Cloud Apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Jason Kowalczyk ,
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.
Issue:
In a tenant where Security Defaults were disabled, MFA was still being required for an Android user. Conditional Access was enabled, but the user was excluded from MFA. Yet the user was still prompted for MFA.
Resolution:
Setting Require Multi-Factor Authentication to register or join devices with Azure AD to No under Devices > Device settings resolved the issue. Turning off Security Defaults does not disable this setting, so users would still be prompted for MFA.
Let me know if this accurately describes your resolution and if you questions or run into any issues. Thank you again for your time and patience throughout this issue.
-
If the information provided accurately summarizes your solution, please consider Accepting the answer. This will help improve discoverability for others in the community who might be researching similar information.