"Register multi factor authentication" for 1 user isn't working. How can I fix this?

Question

Dear all,

• We have a user all running on Windows 10 for which every user who is given an individual user id is given a license for the web version of M365
• We force 2FA insisting on a 2FA smartphone app as the minimum 2nd factor strength
• The 2FA smartphone app we encourage users to embrace is MS Authenticator (although on the occasions when the user already uses another 2FA smartphone app such as Authy or Duo, we are OK to go with that)
• Since the re-architectured version of Edge (built on Chromium) was released in 2020, we ditched Chrome meaning our tech base has further Microsoft centricity (specifically we have a single sign on for our users who login to office.com in Edge; this single sign on works very well)
• This generally all works very brilliantly, including forcing users to register MFA
• Unusually this week (and for the 1st time I recall in my 3 years in the organisation), we have a new user id I created for which the user isn't being forced to register MFA
• I've been able to work with the user in their M365 account settings on the web to add MS Authenticator as a 2nd factor
• However, it seems to me that the user logs in using only 1 factor; either a password or Authenticator (and not both)
• I've tried removing Authenticator as an authentication factor for the user (supported by removing their work account from their Authenticator app), and then in Azure AD forcing "Require register Multifactor authentication"
• However, this doesn't force the user to register MFA and the user ends up repeating the same set of circumstances
• The best test I've done to verify this situation is:

1. Getting the user to add their work account to Authenticator despite not being forced to register MFA after logging into office.com
2. Checking Azure AD to see that Autheticator is register as a 2nd factor (Azure AD displays the user's MFA status as "Capable" with "Methods Registered" of "Microsoft Authenticator app (push notification),"
3. Then asking the user to login on their personal (ie not company owned nor managed) laptop to office.com using Chrome as the browser with their company user id

• If MFA was in force, I would expect this test to force the user authenticate with a password and Authenticator
• However, the user logged into office.com using only a password for authentication
• Then still using Chrome, I went to the user's account details and opened the user's Security Info
• Clicking Security Info prompted the user to authenticate at this point with Authenticator
• Hence I am confident that the user can authenticate with Authenticator
• The challenge I have forcing MFA for this user to login

Can anyone please advise how I fix this?

Thanks for any help.

Regards,

Steve

Answer 1

Is the user logging from an Azure AD joined device? If so, the login process is leveraging the Primary Refresh Token, and is automatically considered as satisfying MFA requirements. You can verify this via the Azure AD audit logs. Here's an example:

where I've trimmed some fields containing personal/irrelevant data.

More details in this article.

Answer 2

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

I highly suggest you to check this article https://support.microsoft.com/en-us/account-billing/63acbb9b-16a1-47b9-8619-6a865e8071a5 about common problems with two-step verification for a work or school account.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 3

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

I highly suggest you to check this article https://support.microsoft.com/en-us/account-billing/63acbb9b-16a1-47b9-8619-6a865e8071a5 about common problems with two-step verification for a work or school account.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 4

Hi Vasil,

The user is connected to on-prem Active Directory rather than with Azure AD. Hence I regret to say I've been unable to source the login info you constructively suggest.

Hi all,

To add to the earlier info:

1. The User's Android phone has notifications enabled from MS Authenticator
2. The User's Android phone has no 3rd party security products installed
3. To further prove the issue, I in tandem with the user yesterday:

a) Reset the user's password

b) Logged in with the user's id and the temporary password in an attempt to trigger 2FA. I am located in a different geography from the user (and thus outside the company firewall), and unlike the user, use my personal laptop rather than a PC connected to on prem Active Directory. I actioned this on Firefox and Brave so to further reduce the possibility of some sort of single sign on taking effect in technology used by the company (ie I didn't use Edge; Edge is the standard browser in the company since Edge was re-acrhitectured in 2020)

c) The user at no stage received any 2FA prompt

This seems compelling that the while the user 2 different authentication factors enabled, 2FA is not in force.

Can anyone please make any further suggestions on how to take this forward?

Rgds,

Steve