From an enterprise level, MFA is not enabled, but MFA notifications still going to users for registration, why?

Question

From an enterprise level, MFA is not enabled, but MFA notifications still going to users for registration and are locked out, why?

Answer 1

@Peter D. Brown

Thank you for posting your question in Microsoft Q&A.

As I understand users in your organization are getting prompted to register for MFA. Where in you do not have MFA enabled on the organization level.

This MFA registration is triggered for users due to security defaults. There is a feature called as security defaults in Azure AD. When this get's enabled all the users and admins will be prompted to register for MFA.

Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today's environment. More than 99.9% of these identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:

• Requiring all users and admins to register for MFA using the Microsoft Authenticator app.
• Requiring administrators to do multifactor authentication.
• Requiring users to do multifactor authentication when necessary.
• Blocking legacy authentication protocols.
• Protecting privileged activities like access to the Azure portal.

If you want to stop all users from being prompted for MFA registration then you will have to contact your Global Administrator of your organization and ask them to turn off security defaults.

Below are the steps to disable security defaults,

• Go to the Azure portal (https://portal.azure.com/) and sign in.
• Access Azure Active directory blade on the left pane.
• In the navigation pane, select Properties, and then select Manage security defaults.

• On the right side of the screen, in the Security defaults pane, see whether security defaults are turned on (Enabled) or off (Disabled). To turn security defaults on, use the drop-down menu to select Disabled.

Let me know if you have any further question regarding this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

MFA Registation can be triggered by a number of things

• Security Defaults
• MFA Registration Policy
• Self-Service Password Reset (SSPR) Policies
• Newer Authentication Policies (replacing MFA and SSPR policies)
• A Conditional Access policy that requires MFA will trigger registration, if the user does not have MFA already setup
  • This can also trigger registration for Admins
  • Legacy Per-User Azure MFA
  • And finally, often people mistake MFA Registration for when the account is trying to trigger MFA Method Verification. The Verification often happens every few months, and basically has you review which methods are currently set up, to remove an old App/Phone if it was replaced or if you changed phone numbers, or something similar.
  If you have access to the sign-in logs, you can generally use the Sign-In Logs and particularly the Authentication Details tab to see if any Conditional Access MFA Policies applied, and often the Sign-In Status and Error Codes will help give some insight into whether some other form of registration or interruption was triggered