Conditional Access - MFA enabled all users - external user blocked

Question

Conditional Access - MFA enabled all users - external user blocked

VMAX_Lapras 25

Hello there.

We have recently gone through the legacy > new MFA migration as per the recommended process.

We have enabled authentication methods that correspond with what we had in legacy.

There is an external user (account created with an address not part of our tenant) who is getting blocked by the MFA all users policy however.

The authentication methods we have in place are here.

authentication_methods

The error the person is receiving is here. I have tried resetting the MFA settings.

Untitled

Domooney-MSFT 2,606 Reputation points Microsoft Employee Moderator

2024-01-08T18:00:52.5933333+00:00

Hi VMAX_Lapras,

Thank you for posting your query on Microsoft Q&A!

Could you let me know if you are using "Authentication Strengths" with your Conditional Access policy? It looks like the it could be the first factor of authentication which is actually failing, i.e the user might be using passwordless but a CA policy is requiring a password as first factor.

Kind Regards,

Donal
VMAX_Lapras 25 Reputation points

2024-01-09T15:35:54.88+00:00

Hi Donal.

Thanks for the reply. We do have an authentication strengths for this policy- screenshot below. Is there any way to determine which factor it's failing on for them? I think it's pass+authenticator, or pass+sms they will have configured, and it looks like that should work if I understand the below correctly.

Many thanks
JamesTran-MSFT 37,216 Reputation points Microsoft Employee Moderator

2024-01-24T22:57:52.94+00:00

@VMAX_Lapras
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
VMAX_Lapras 25 Reputation points

2024-02-01T15:19:14.5966667+00:00

Hi there, I think the issue has been resolved. Many thanks for your assistance. Cheers,

1 answer

Your answer

Domooney-MSFT 2,606 Reputation points Microsoft Employee Moderator

2024-01-08T18:00:52.5933333+00:00

Hi VMAX_Lapras,

Thank you for posting your query on Microsoft Q&A!

Could you let me know if you are using "Authentication Strengths" with your Conditional Access policy? It looks like the it could be the first factor of authentication which is actually failing, i.e the user might be using passwordless but a CA policy is requiring a password as first factor.

Kind Regards,

Donal
VMAX_Lapras 25 Reputation points

2024-01-09T15:35:54.88+00:00

Hi Donal.

Thanks for the reply. We do have an authentication strengths for this policy- screenshot below. Is there any way to determine which factor it's failing on for them? I think it's pass+authenticator, or pass+sms they will have configured, and it looks like that should work if I understand the below correctly.

Many thanks
JamesTran-MSFT 37,216 Reputation points Microsoft Employee Moderator

2024-01-24T22:57:52.94+00:00

@VMAX_Lapras
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
VMAX_Lapras 25 Reputation points

2024-02-01T15:19:14.5966667+00:00

Hi there, I think the issue has been resolved. Many thanks for your assistance. Cheers,

Answer 1

Hi @VMAX_Lapras

I see you have posted a screenshot of your Authentication Strength; the error suggests the user does not meet the policy.

In Microsoft Entra, expand Protection > Authentication methods. Then under Monitoring, select User registration details.

From that page, find the user and see the methods they have registered and the default.

You could reset their MFA method and direct them to aka.ms/mfasetup to set up an appropriate method.

Let me know!

https://www.linkedin.com/in/danielbradley2/

Share via

Conditional Access - MFA enabled all users - external user blocked

1 answer

Your answer