Share via

Why user is being prompted to setup MFA when it is not even enabled?

newhdanalyst 51 Reputation points
2023-02-13T04:48:22.39+00:00

As you can see MFA is disabled:

User's image

However, user was keep getting below prompts while accessing office.com or portal.office.com. What is causing this and how to disable it?

User's image

User's image

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,771 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,721 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 57,686 Reputation points
    2023-02-13T05:14:10.58+00:00

    Hello,

    #1 Check if you have Security Defaults enabled in your tenant:

    Security defaults in Azure AD

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

    #2 I would also recommend checking for a Conditional Access Policy that enforces users to register with MFA:

    Common Conditional Access policy: Require MFA for all users

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa

    If this is helpful please accept answer.

    0 comments
  2. Vasil Michev 115.6K Reputation points MVP
    2023-02-13T07:53:05.3533333+00:00

    The prompt you're seeing is not necessarily related to MFA. Check out this forum post of an extensive list of features that might cause this:

    https://learn.microsoft.com/en-us/answers/questions/645850/what-are-the-services-settings-that-can-cause-mfa

    0 comments
  3. Sandeep G-MSFT 20,736 Reputation points Microsoft Employee
    2023-02-20T10:41:07.4833333+00:00

    @newhdanalyst

    Users are prompted to register for MFA due to security defaults feature in Azure AD.

    Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today's environment. More than 99.9% of these identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

    Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:

    One of the preconfigured setting in security defaults is "All users must register for MFA"

    Users have 14 days to register for Azure AD Multi-Factor Authentication by using the Microsoft Authenticator app or any app supporting OATH TOTP. After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.

    If you do not want this feature to be enabled in your tenant then you can disable it by following below steps,

    • Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
    • Browse to Azure Active Directory > Properties.
    • Select Manage security defaults.
    • Set the Enable security defaults toggle to No.
    • Select Save

    Screenshot of the Azure portal with the toggle to enable security defaults

    You can also refer below article for more information,

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

    Do let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.