MFA without asking... What changed?

Tom - BR 0 Reputation points

So recently all users are requiring to enter MFA info even though the O365 is protected by our Okta. Not sure what changed but it's annoying. I'd like to at least be able to protect admin accounts but not the entire organization. Thank you!

Microsoft Office Online Server
Microsoft Office Online Server
Microsoft on-premises server product that runs Office Online. Previously known as Office Web Apps Server.
562 questions
Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,117 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,684 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Emi Zhang-MSFT 20,346 Reputation points Microsoft Vendor


    I suggest you try to post this issue to Microsoft 365 Admin forum:

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Sandeep G-MSFT 13,491 Reputation points Microsoft Employee

    @Tom - BR

    This MFA prompt is triggered by Azure. There is a feature called as "security defaults" in Azure AD.

    Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today's environment. More than 99.9% of these identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

    One of the key feature within security defaults is Requiring all users to register for Azure AD Multifactor Authentication.

    All users in your tenant must register for multifactor authentication (MFA) in the form of the Azure AD Multifactor Authentication. Users have 14 days to register for Azure AD Multifactor Authentication by using the Microsoft Authenticator app or any app supporting OATH TOTP. After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.

    Users are asked to register for MFA. This doesn't mean that users will be prompted for MFA everytime they access any Azure resources. Users will be asked to go through MFA only when Azure suspects any unusual login to the user's account.

    If you do not want this behavior, you can disable security defaults.

    Follow below steps to disable security defaults in Azure AD.

    1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
    2. Browse to Azure Active Directory > Properties.
    3. Select Manage security defaults.
    4. Set the Enable security defaults toggle to No.
    5. Select Save.

    Let me know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.