This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHG%3C/text%3E%3C/svg%3E)
Hi, I am trying to understand the MFA state behavior on Azure. I am enrolling users for MFA from our tenant. Some users were unable to login to Outlook after the enabling. I noticed that these users' MFA states were changed from Enabled to Enforced. I am not sure what triggered the change. But not all user's states were changed even though they were all enabled the same way, e.g. through Office 365 admin portal. The users who's states are Enabled are able to login. I understand that this has to do with our Exchange online tenant not having Modern Authentication enabled. But my concern is how the MFA state got change. Thanks
The state wont change to "Enforced" on its own, someone on your end toggled this. And make sure you enable Modern authentication.
Can the user somehow change that state when they did the MFA registration? This is definitely not done by the admin.
Thanks
I did some test with few test user accounts. I enabled them from the tenant and the state were enabled. When I finished the MFA method registration and checked the status again, they all shows as enforced. I also this statement from the link.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Users who complete registration while in the Enabled state are automatically moved to the Enforced state.
The only way to keep the user state to be enabled is to disable and reenable them.
Is there anyway to keep the user to be enabled without doing the disabling\reenabling?
Thanks