How to enable MFA (mobile authenticator) conditional access on a B2C client for select users while not requiring users without MFA to register an authenticator

Matthew Beckett 0 Reputation points
2023-09-18T14:47:36.3566667+00:00

We are attempting to roll-out MFA for specific users on our B2C tenant, these users are within their own groups and within a conditional access policy where they have the MFA grant enabled.

We have set our Sign Up / Sign In userflow to conditional MFA.

We have disabled security defaults on the tenant.

The problem: when the user flow is run, all users even if explicitly excluded from the policy are still prompted to register the authenticator app and they are unable to proceed until they have done so.

Once this has been done, it will no longer prompt them to register the application.

We wish that the users are not prompted to register until we have included them in the conditional access policy.

We have since tried amending the 'Multifactor authentication registration policy' to prevent this but this seems to have also had no effect. Any help would be greatly appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,838 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.