MFA enforced when accessing Security Info from my account

Question

This is the scenario:

• Security Defaults are disabled
• All CA polices are in Read Only Mode
• MFA is not enforced in the Legacy MFA portal
• User is enabled for combined registration and MFA methods such as phone and authenticator app have been added to the user account.

When a user attempts to access "Security Info" section within "My Account" it is always prompted to complete MFA; however, there is not policy enabled for this enforcement. I cannot find any Microsoft official document indicating that this is the default or expected behavior for the Combined registration.

does anyone know why this is happening? Being this the case, the Conditional access policy for "Securing Information Registration" becomes pointless.

Answer 1

Hi @Cristobal Fallas

Thank you for posting your query on Microsoft Q&A.

If a user already has at least one MFA method configured then they will always be prompted for MFA when accessing the "Security Info" portal. This is to prevent any bad actor from adding / removing MFA methods for the user with just their password. This would subsequently allow them to access other resources that are configured to require MFA.

The Conditional Access policies for "Securing Information Registration" become more useful for first time registration of MFA methods, i.e only allowing MFA to be registered from a hybrid or compliant device, or only inside the corp network.

I hope this helps, but if you have any further queries just let me know.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.