From an enterprise level, MFA is not enabled, but MFA notifications still going to users for registration, why?

Peter D. Brown 0 Reputation points

From an enterprise level, MFA is not enabled, but MFA notifications still going to users for registration and are locked out, why?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,691 questions
Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
3,257 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sandeep G-MSFT 7,276 Reputation points Microsoft Employee

    @Peter D. Brown

    Thank you for posting your question in Microsoft Q&A.

    As I understand users in your organization are getting prompted to register for MFA. Where in you do not have MFA enabled on the organization level.

    This MFA registration is triggered for users due to security defaults. There is a feature called as security defaults in Azure AD. When this get's enabled all the users and admins will be prompted to register for MFA.

    Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today's environment. More than 99.9% of these identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

    Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:

    • Requiring all users and admins to register for MFA using the Microsoft Authenticator app.
    • Requiring administrators to do multifactor authentication.
    • Requiring users to do multifactor authentication when necessary.
    • Blocking legacy authentication protocols.
    • Protecting privileged activities like access to the Azure portal.

    If you want to stop all users from being prompted for MFA registration then you will have to contact your Global Administrator of your organization and ask them to turn off security defaults.

    Below are the steps to disable security defaults,

    • Go to the Azure portal ( and sign in.
    • Access Azure Active directory blade on the left pane.
    • In the navigation pane, select Properties, and then select Manage security defaults.

    Screenshot showing Properties and Manage Security Defaults for Azure Active Directory.

    • On the right side of the screen, in the Security defaults pane, see whether security defaults are turned on (Enabled) or off (Disabled). To turn security defaults on, use the drop-down menu to select Disabled.

    Let me know if you have any further question regarding this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Kevin Crouch 81 Reputation points

    MFA Registation can be triggered by a number of things

    0 comments No comments