Conditional Access not bypassing MFA registration

Ricardo Goncalves 20 Reputation points
2024-04-22T17:45:46.4733333+00:00

Hi All

I am looking for assistance with MFA, currently our tenant is setup with conditional access policy which has been working fine for us, we have excluded some accounts as these are service accounts. Today all our service accounts cannot be logged into without having to setup MFA, we setup Conditional Access to mitigate this.Is there anyone that can assist or direct me to a solution.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments
Accepted answer
  1. Andy David - MVP 142.2K Reputation points MVP
    2024-04-22T20:12:58.58+00:00

    It depends on how this service account access Entra services

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks#require-users-to-register-when-they-sign-in

    • Microsoft 365
    • Microsoft Entra admin center
    • Access Panel
    • Federated applications
    • Custom applications using Microsoft Entra ID

    Generally I would set to No and then use the CA policy to force a user to register MFA and SSPR when accessing Entra

    1 person found this answer helpful.
    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 142.2K Reputation points MVP
    2024-04-22T17:55:26.17+00:00

    What is set for MFA registration requirements?

    Ensure those service accounts are not included as well:

    https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy

    Also verify that they arent enabled for per user MFA

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

  2. Ricardo Goncalves 20 Reputation points
    2024-04-22T18:40:46.34+00:00

    Hi Andy

    Checked the 1st link you sent me, and have added a service account in the exclude option, will test and let you know soon.

    On your 2nd link the service account is disabled for MFA.

    Any idea how long i must wait for the changes to take effect, or are they instant.

  3. Ricardo Goncalves 20 Reputation points
    2024-04-22T18:52:39.1733333+00:00

    Hi Andy from Azure sign in logs for the user i see this message.

    User authentication was blocked because they need to provide password reset information. Their next interactive sign in will ask them for this, which the app should trigger next.

    And also this message.

    User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others.

  4. Ricardo Goncalves 20 Reputation points
    2024-04-22T19:07:41.4433333+00:00

    Hi Andy

    I think with your help i see where the issue could be, i had a group before in SSPR Password Reset, which was selected, i removed this group as i was following a remediation for my security score card, i then changed this to all. I have now changed back to selected with the group back and now i am able to sign in with the service account again.

    I have the setting you specified earlier set to Yes "Require users to register when signing in" can i leave like this or should i change to No.

    0 comments