25,081 questions
Set it to Enforced if you want them to go over the registration policy. Or better yet, toggle Security defaults on.
Office 365 MFA disable external access if not enforced
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
John D
36
Reputation points
So there are three MFA settings. Disabled, Enabled and enforced. Enabled is set and then the user can authenticate using only name and password at which point they have to enroll in the MFA process.
We have 100% requirement that all users have MFA enabled. Unfortunately some of them don't complete this process because they never check email outside the company.
Is there a setting that I can disable authentication from ALL users that have disabled, or enabled, set for MFA UNLESS the request comes from an IP that is on the trusted IP list. This will ensure that no authentication requests are accepted from OUTSIDE the corporate network that are for users that do not have MFA enforced meaning they have completed the enrollment process.
Thanks John
Microsoft Security | Microsoft Entra | Microsoft Entra ID
6 answers
Sort by: Most helpful
-
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator2021-03-09T20:56:09.24+00:00 -
John D 36 Reputation points
2021-03-10T11:25:45.903+00:00 Unfortunately, that does not answer my question at all.
Enabled or enforced still allows authentication until the registration process has been completed. Therefore the users that are using outlook inside the trusted IP network are never prompted or have to complete the registration process. This means that a would be hacker can still authenticate from outside the network without having to enter MFA because MFA process has not been completed. In fact - if he gained access - he could complete the MFA process using his own cell or whatever.
toggle Security defaults on? that sounds intriguing but I have no idea what security defaults you are referring to.
I would think this would be a common sense flag that could be set
Disable access for any user that does not have MFA registration complete unless coming from a trusted IP. Thats what I would like to do - how does one accomplish that?
Thanks
John-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-06-15T14:17:29.23+00:00 Hi John,
I just had the exact same question. "I would think this would be a common sense flag that could be set"
Any luck figuring it out?
Thanks
Dario
Sign in to comment -
-
John D 36 Reputation points
2021-03-10T12:28:09.237+00:00 Will do - I have a ticket open with our Azure escalation support partner to see if they can help me figure out why its not applying.
Thanks
John-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 47%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Mark Dayton 1 Reputation point2022-01-05T21:08:39.14+00:00 Hi John, did you get this to work okay? Thanks
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 69%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Marshall.C 1 Reputation point2022-01-06T15:37:26.603+00:00 Yeah any word on this yet? Im looking for a solution as to why members of our org can access outlook and onedrive with out being prompted for mfa or having a mobility license or being in a "enabled" or Enforced" state in mfa.
Sign in to comment -
-
John D 36 Reputation points
2021-03-10T11:28:29.973+00:00 https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
"The user is enrolled per-user in Azure AD Multi-Factor Authentication. If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state."
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 54%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHA%3C/text%3E%3C/svg%3E)
Himanshu Ahuja 1 Reputation point2021-03-10T11:39:00.307+00:00 What about a conditional access policy to grant access only if MFA is enforced.
As per my understanding, you should be able to create a policy with a check mark for "Require multi-factor authentication"You can also add conditions of trusted locations at the same time.
With that I have witnessed, this makes sure any user will be granted access only when MFA is enforced. (Yes I know enforced is not the same as enabled :) )Please let me know if this helps or not, I am testing a few things and if I come across something else, will surely update here.