Failed with conditional access Azure Policy on MFA

2023-01-04T23:04:49.95+00:00

Was there any affectation in the MFA policy? it does not take effect if I make an exclusion either by application or a security group. The only way it excludes is with my administrator account in azure. This exclusion has been applied for a several month now, but as of last week, users began to receive the MFA verification process.
regards

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,663 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. risolis 5,926 Reputation points
    2023-01-05T00:15:51.153+00:00

    Hello @Claoud Carlos Alberto Sandoval Delgado

    Thank you for sharing this on this community space.

    I was wondering if you have checked the following logs at the Azure AD level:

    AuditLogs
    SignInLogs
    NonInteractiveUserSignInLogs
    ServicePrincipalSignInLogs
    ManagedIdentitySignInLogs
    RiskyUsers
    UserRiskEvents

    Let me know if that was useful but if not, I can keep assisting you further.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    No comments

  2. Marilee Turscak-MSFT 20,516 Reputation points Microsoft Employee
    2023-01-05T00:53:02.12+00:00

    Hi @Claoud Carlos Alberto Sandoval Delgado ,

    If I understand your issue correctly, it seems that users are being prompted for MFA even though they are excluded from the Conditional Access policy requiring MFA.

    There are several variables that can cause this to happen:

    1) You might have an MFA Registration policy configured in Azure AD Identity Protection. If this is the case, users need to be excluded from the MFA registration policy in order to avoid the prompts.

    2) If MFA is configured as enabled, but not enforced for the user, the user may still see the prompt.

    3) If you recently changed a conditional access policy, it may take a day for the changes to apply.

    4) Make sure that security defaults are disabled.

    5) If you look at the "Log-in" logs in Azure AD, you should get more clues around why those accounts are prompted.

    Additional resources:

    A user is excluded in conditional access policy but it is still applied

    That said, without being able to see the policies in your tenant, check the logs, and know more about the resources and users, it's harder to diagnose this. If you are still having this issue after trying the troubleshooting steps, we can discuss this over email and get a support case opened.

    -
    If the information helped you, please Accept the answer. This will help us and also improve discoverability for others in the community who might be researching similar information.

    No comments

  3. 2023-01-11T18:49:29.1166667+00:00

    Hi, sorry for the late response, I made some testing and noticed that the only way the Exclusion of MFA policy get applied is if add Authentication Administrator, Authentication Policy Administrator or Global Administrator role to the user. If the user has no roles or another different the one I said, the user dont get the exclusion.

    In the next figure show that the exclusion is applied, but i still asked for MFA code verification:

    User's image

    Here is another example where it is said that the App is excluded, but i keep asked for the MFA verification code

    User's image

    User's image

    My wonder is why suddenly start working a couple weeks ago, when the exclusion is been working for several. Microsoft applied something on azure or maybe from the app configuration it posibble override the MFA policy?

    Greetings

    No comments