Enforcing MFA policy doesn't work.

Bo Besters 0 Reputation points
2024-06-04T10:03:28.64+00:00

Hi, it seems the enforcement of MFA for users doen not work. Most users can just continue to log off and on without having to MFA. I have setup the conditional access policy in Entra ID according to instructions. Please assist!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,102 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 143.6K Reputation points MVP
    2024-06-04T10:34:36.42+00:00

    Check the sign in logs and see if the policy is being applied.

    Did you create a policy similar to this?

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa

    Any exclusions?


  2. Raja Pothuraju 385 Reputation points Microsoft Vendor
    2024-06-12T13:53:12.03+00:00

    Hello @Bo Besters,

    Thank you for following up on this!

    As you mentioned, I see that for some users who completed the sign-in with MFA the log shows Second factor authentication and for users who completed the sign-in without any MFA the log shows single factor authentication.
    To delve deeper into this issue, I require some details from the end-users' perspective. Could you please provide information about the applications they are signing into?

    Additionally, have any conditions been applied to the Conditional Access policy you created?

    When reviewing the Microsoft Entra sign-in logs, could you please confirm whether the created Conditional Access policy is being applied to the user sign-in log?

    Please locate the Entra sign-in log that displays 'Single factor authentication'.

    Within that log, navigate to the 'Conditional access' tab, as illustrated in the screenshot below.

    User's image

    Next, examine the result of your created CA policy for that specific sign-in log. To access more detailed information about the policy result, click on the 'policy name' or select the three dots to view it in detail.User's image On this screen, it will indicate whether the user has completed MFA or not. If not, it will provide information on where exactly the user was excluded from the policy.

    I hope this clarifies the steps needed for further investigation and please feel free to get back to me if you have any questions.

    Thanks,
    Raja Pothuraju.