Azure MFA/ADFS - one user requiring MFA even when its disabled

russell@northport 1 Reputation point
2020-06-01T20:40:59.21+00:00

We initially enabled Azure MFA but then disabled it due to issues.

We have one user on our Office 365 account who is still prompted for the “more information required” page when logging in. The ultimate error is “An error occurred. No valid strong authentication method found. Contact your administrator to configure and enable appropriate strong authentication provider.”

MFA is disabled for the user and disabled for the tenant (Enable security defaults is set to No).

The Event log on the ADFS server is Event 364, AD FS –

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.Web.NoValidStrongAuthenticationMethodException: No strong authentication method found for the request from urn:federation:MicrosoftOnline.
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

The problem user account doesn’t appear to be any different from others that don’t have any issues logging in.

Does anyone any ideas where I look to resolve this?

Thanks

Russell

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,531 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,501 Reputation points
    2020-06-03T11:28:28.557+00:00

    Hi @northport,

    Looking at the error, there seems to be some Access Control Policy applied to Microsoft Office 365 Relying party that requires MFA to be performed and since MFA is disabled, authentication is failing at second factor.

    On ADFS, global authentication method can also be configured to require MFA but as one user is getting this error I am suspecting it is not configured at global level but by specific Access Control Policy on the O365 RP.

    Please check the access control policies on the O365 Relying party on ADFS Server and remove any policy that requires MFA to be performed. For more details on access control policies in ADFS, please refer to https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    2 people found this answer helpful.

  2. Manu Philip 17,351 Reputation points MVP
    2020-06-02T18:53:44.503+00:00

    Hello @Russel ,
    Looks like you have set Security defaults to apply to your Azure AD and can be disabled as below:

    Azure Active Directory > Properties> Manage security defaults at the bottom of the page >set Enable security defaults to No

    Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

    Regards,

    Manu


  3. Larry Alexander 1 Reputation point
    2020-06-10T14:46:43.613+00:00

    Hi Russell,

    Out of curiosity, have you checked via powershell (as administrator) for additional authentication rules:

    $ThisRPT="{Your RPT}"
    (Get-AdfsRelyingPartyTrust -Name $ThisRPT).AdditionalAuthenticationRules

    Using an Access Control Policy should mean that there are no Additional Authentication Rules, but best to be sure as these do not show in the ADFS gui screens.

    0 comments No comments

  4. Patrick S 1 Reputation point
    2021-02-02T21:53:15.523+00:00

    Were you ever able to resolve this issue? After configuring AzureMFA, it worked for a while but it somehow broke and getting the same error.

    Relying party: Microsoft Office 365 Identity Platform
    Error details: No strong authentication method found for the request from urn:federation:MicrosoftOnline.

    0 comments No comments

  5. Isidro Manuel Muñoz Sánchez 1 Reputation point
    2021-07-28T11:48:48.57+00:00

    We have the same issue.

    Any update?

    0 comments No comments