Share via

MFA without asking... What changed?

Tom - BR 0 Reputation points
2023-07-13T22:39:56.04+00:00

So recently all users are requiring to enter MFA info even though the O365 is protected by our Okta. Not sure what changed but it's annoying. I'd like to at least be able to protect admin accounts but not the entire organization. Thank you!

Microsoft 365 and Office Office Online Server
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Authenticator

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Emi Zhang-MSFT 30,046 Reputation points Microsoft External Staff
    2023-07-14T09:15:40.1233333+00:00

    Hi,

    I suggest you try to post this issue to Microsoft 365 Admin forum:

    https://techcommunity.microsoft.com/t5/microsoft-365-admin-center/bd-p/AdminCenter

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
    2023-07-17T11:20:58.2466667+00:00

    @Tom - BR

    This MFA prompt is triggered by Azure. There is a feature called as "security defaults" in Azure AD.

    Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today's environment. More than 99.9% of these identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

    One of the key feature within security defaults is Requiring all users to register for Azure AD Multifactor Authentication.

    All users in your tenant must register for multifactor authentication (MFA) in the form of the Azure AD Multifactor Authentication. Users have 14 days to register for Azure AD Multifactor Authentication by using the Microsoft Authenticator app or any app supporting OATH TOTP. After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.

    Users are asked to register for MFA. This doesn't mean that users will be prompted for MFA everytime they access any Azure resources. Users will be asked to go through MFA only when Azure suspects any unusual login to the user's account.

    If you do not want this behavior, you can disable security defaults.

    Follow below steps to disable security defaults in Azure AD.

    1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
    2. Browse to Azure Active Directory > Properties.
    3. Select Manage security defaults.
    4. Set the Enable security defaults toggle to No.
    5. Select Save.

    Let me know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.