Few users are asked for MFA after all the company was joined to hybrid AD.

Question

Any MFA requirements are disabled in our tenant, but for some reason, few users are required to setup MFA (got a message after logged in to Windows) The error in sign on logs is: Authentication requirement Multifactor authentication Status Interrupted Continuous access evaluation No Additional Details The user was presented options to provide contact options so that they can do MFA. Resource Device Registration Service Any ideas? Thanks.

Answer 1

Hello @Vlad Schwartz ,

Thank you for contacting Microsoft QnA platform. There can be multiple reasons for users to be prompted for MFA, however considering the resource you mentioned, I assume the “Require Multi-Factor Auth to join devices” setting could be the reason why some users are being prompted to set up MFA when then join the device to Azure AD/Entra ID. This setting can be found on the Azure AD Admin center under Devices > Device settings.

If this setting is enabled, it requires users to authenticate with a second device and two forms of credentials when they attempt to join a device to Azure AD. This could explain why users are seeing the MFA setup prompt after logging into Windows. You can check this setting by following these steps:

1. Navigate to the Azure AD Admin center.
2. Go to Devices > Device settings.
3. Check the status of “Require Multi-Factor Auth to join devices”. If it’s set to “Yes”, this means MFA is required to join devices.

If you want to disable this, you can set “Require Multi-Factor Auth to join devices” to “No” and then click "Save". For more details you can review following documentation link: https://learn.microsoft.com/en-us/MEM/intune/enrollment/multi-factor-authentication

I hope this answer helps to resolve your issue. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.