Failed with conditional access Azure Policy on MFA

Claoud Carlos Alberto Sandoval Delgado 1 Reputation point
2023-01-04T23:04:49.95+00:00

Was there any affectation in the MFA policy? it does not take effect if I make an exclusion either by application or a security group. The only way it excludes is with my administrator account in azure. This exclusion has been applied for a several month now, but as of last week, users began to receive the MFA verification process.
regards

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,701 Reputation points
    2023-01-05T00:15:51.153+00:00

    Hello @Claoud Carlos Alberto Sandoval Delgado

    Thank you for sharing this on this community space.

    I was wondering if you have checked the following logs at the Azure AD level:

    AuditLogs
    SignInLogs
    NonInteractiveUserSignInLogs
    ServicePrincipalSignInLogs
    ManagedIdentitySignInLogs
    RiskyUsers
    UserRiskEvents

    Let me know if that was useful but if not, I can keep assisting you further.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2023-01-05T00:53:02.12+00:00

    Hi @Claoud Carlos Alberto Sandoval Delgado ,

    If I understand your issue correctly, it seems that users are being prompted for MFA even though they are excluded from the Conditional Access policy requiring MFA.

    There are several variables that can cause this to happen:

    1) You might have an MFA Registration policy configured in Azure AD Identity Protection. If this is the case, users need to be excluded from the MFA registration policy in order to avoid the prompts.

    2) If MFA is configured as enabled, but not enforced for the user, the user may still see the prompt.

    3) If you recently changed a conditional access policy, it may take a day for the changes to apply.

    4) Make sure that security defaults are disabled.

    5) If you look at the "Log-in" logs in Azure AD, you should get more clues around why those accounts are prompted.

    Additional resources:

    A user is excluded in conditional access policy but it is still applied

    That said, without being able to see the policies in your tenant, check the logs, and know more about the resources and users, it's harder to diagnose this. If you are still having this issue after trying the troubleshooting steps, we can discuss this over email and get a support case opened.

    -
    If the information helped you, please Accept the answer. This will help us and also improve discoverability for others in the community who might be researching similar information.

    0 comments
  3. Claoud Carlos Alberto Sandoval Delgado 1 Reputation point
    2023-01-11T18:49:29.1166667+00:00

    Hi, sorry for the late response, I made some testing and noticed that the only way the Exclusion of MFA policy get applied is if add Authentication Administrator, Authentication Policy Administrator or Global Administrator role to the user. If the user has no roles or another different the one I said, the user dont get the exclusion.

    In the next figure show that the exclusion is applied, but i still asked for MFA code verification:

    User's image

    Here is another example where it is said that the App is excluded, but i keep asked for the MFA verification code

    User's image

    User's image

    My wonder is why suddenly start working a couple weeks ago, when the exclusion is been working for several. Microsoft applied something on azure or maybe from the app configuration it posibble override the MFA policy?

    Greetings

    0 comments