Entra ID - MFA and CA

Question

We have several apps registered and successfully using MFA with conditional access policies. However, we've recently introduced a partner that uses OKTA. This one application connection seems to disregard CA policies and prompt users for MFA (users are on the same 'trusted' network). The logs and Sign-in diag in Entra are a bit perplexing. There are no errors, nothing suspicious, and when drilling in, the diag states: Auth method: Previously Satisfied | Results: MFA requirement skipped due to IP address | Requirement: MFA is enforced for the user account. ...So, my question is: Am I reading the results wrong? If MFA is skipped and/or previously satisfied, why are users being prompted for MFA with this one app?

This challenge appears similar to: https://learn.microsoft.com/en-us/answers/questions/1340013/why-are-some-applications-prompting-for-mfa-and-ot

and/or... https://learn.microsoft.com/en-us/answers/questions/1295071/users-repeatedly-prompted-for-mfa

...Thanks for any insight

This challenge appears similar to: https://learn.microsoft.com/en-us/answers/questions/1340013/why-are-some-applications-prompting-for-mfa-and-ot

and/or... https://learn.microsoft.com/en-us/answers/questions/1295071/users-repeatedly-prompted-for-mfa

...Thanks for any insight

Answer

Hi @Jim Smith , I assume you followed the steps in the threads you linked, and as you saw we're going to have to look into your environment. This issue is tricky to solve otherwise. Can you please send me an email at "azcommunity@microsoft.com" with subject "ATTN: James Hamil" and your subscription ID? I can open a free support ticket for you.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Share via

Entra ID - MFA and CA

1 answer

Your answer