![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 83%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Hi @Heidi Vandezande
Thank you for posting your query on Microsoft Q&A.
I understand that you have applied a conditional access policy on all external users to use MFA. You implemented hardware tokens because you don't want to use their personal information with the verification methods.
When a new user logs in, he is prompted to use MFA since a conditional access policy is in place, which means "more information required".
Check to see if MFA is enabled for certain users using authentication methods other than the OATH Hardware token. If yes, exclude those users from the other authentication methods that take precedence over OATH Hardware tokens. and also Check to see if there was any another way where MFA is enabled for select users.
Hope this helps. Do let us know if you have any further queries.
------------
If this answers your query, do click `Accept Answer` and `Yes`.
Thanks,
B. Siri Chandana.