This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 13%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Hi, it seems the enforcement of MFA for users doen not work. Most users can just continue to log off and on without having to MFA. I have setup the conditional access policy in Entra ID according to instructions. Please assist!
Check the sign in logs and see if the policy is being applied.
Did you create a policy similar to this?
Any exclusions?
I did. Some users did need to use MFA, some didn't. They're all in the same policy.
The log says most users only used single factor authenticator last logon.
Will it help if I ask all of them to log off and logon? Some already did, tot no succes.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Bo Besters,
Thank you for following up on this!
As you mentioned, I see that for some users who completed the sign-in with MFA the log shows Second factor authentication and for users who completed the sign-in without any MFA the log shows single factor authentication.
To delve deeper into this issue, I require some details from the end-users' perspective. Could you please provide information about the applications they are signing into?
Additionally, have any conditions been applied to the Conditional Access policy you created?
When reviewing the Microsoft Entra sign-in logs, could you please confirm whether the created Conditional Access policy is being applied to the user sign-in log?
Please locate the Entra sign-in log that displays 'Single factor authentication'.
Within that log, navigate to the 'Conditional access' tab, as illustrated in the screenshot below.
Next, examine the result of your created CA policy for that specific sign-in log. To access more detailed information about the policy result, click on the 'policy name' or select the three dots to view it in detail.
On this screen, it will indicate whether the user has completed MFA or not. If not, it will provide information on where exactly the user was excluded from the policy.
I hope this clarifies the steps needed for further investigation and please feel free to get back to me if you have any questions.
Thanks,
Raja Pothuraju.
Hello @Bo Besters,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello @Bo Besters,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.