Conditional access & Authentication Strength policy

GS 0 Reputation points
2024-05-28T11:46:41.6766667+00:00

Hi to all, i am struggling to setup a working authentication policy but i am hitting a wall all the time!.. First of all we have entra P1 license and tenant is registered before 2019.. When i am using per user MFA setting all works fine to enforce MFA policy.. The behavior is this: when a new user tries to login, it asks validation through SMS and then it points him to a nice guide on how to set up microsoft authenticator APP to finish MFA setup. According to documentation if someone wants to use the 'new way' he should go by conditional access policy and authentication strength. BUT if i disable from per user MFA the policy and go from Conditional Access, setting passwordless MFA, the user again is prompted to setup authenticator but from a slightly different guide page which gets the user into an endless loop making for him impossible to login!!! It guides the link for setting up the authenticator (personal security info) but i never goes there getting back to the start guide page... Any help would be appreciated...

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,515 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 13,455 Reputation points Microsoft Vendor
    2024-05-29T12:28:09.1866667+00:00

    Hi @GS

    Thank you for posting this in Microsoft Q&A.I understand you're having trouble setting up a working authentication policy in your Azure AD tenant. You've tried using per user MFA settings and it works fine, but when you try to use Conditional Access with password less MFA, the user is prompted to set up the Microsoft Authenticator app but is unable to complete the setup process.

    Can you check phone sign-in enable on your Microsoft authenticator. If not, please enable phone sign-in on your Microsoft authenticator. After users registered themselves for the Microsoft Authenticator app, they need to enable phone sign-in.

    Please follow the steps which mentioned in this document: Enable phone sign-in

    Have you tried with Require multi factor authentication under grant controls instead of going password less MFA in conditional access policy. If you are used what is the behavior of that policy.

    Hope this helps. Do let us know if you any further queries.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.