M365 not prompting for MFA after enabling Security Defaults in Azure AD

Curtis Kobelsky 11 Reputation points
2021-04-15T03:35:31.803+00:00

Recently for a client of mine I enabled Security Defaults in Azure AD to help secure the accounts with MFA (primarily in Microsoft 365). Unfortunately it seems that even though Security Defaults is enabled it isn't applying to people when they login to Microsoft 365, it just lets them in without needing to do MFA. If they login to the Azure portal they do get the MFA prompt which is what I would expect. I should note that I am logging in with a new "guest" browser session each time, which should prompt me for MFA no matter what since it should be classified as a "new" device.

I was sure this was working before in my tenant, but when I tested it out I get the same behavior (no MFA prompt in M365, MFA prompt in Azure Portal). Am I completely crazy or did something change in the last year with respect to Security Defaults where it no longer applies to Microsoft 365 logins anymore?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,595 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Jenkins 6 Reputation points
    2021-04-15T05:12:00.39+00:00

    Hi Curtis,

    I'm assuming that you've gone to Azure AD > Properties > Manage Security Defaults > Enable?

    More information can be found here: https://learn.microsoft.com/en-au/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

    My only other suggestion would be testing on both a domain joined device and a personal (non-joined) device.

    1 person found this answer helpful.
  2. Norman 26 Reputation points
    2022-03-07T16:18:37.857+00:00

    Hi @Curtis Kobelsky

    did you get any response from Microsoft for this case?
    I have the same behaviour for one of our small clients without AD P Licenses.

    We activated security defaults and users must register theit Microsoft Authenticator.
    But if they log in from home or with another pc (I tested with credentials of one user on my pc with different public ip) they don´t get asked to perform MFA, but they log in without MFA..

    Any ideas?

    Regards,
    Norman

    1 person found this answer helpful.
    0 comments
  3. Gavin Pitt 1 Reputation point
    2022-03-10T12:35:42.563+00:00

    Anyone else having any luck getting this resolved as I am having exactly the same problem and it is extremely concerning.

    0 comments
  4. Norman 26 Reputation points
    2022-03-10T14:12:32.437+00:00

    Hi @Gavin Pitt ,

    I found out that is by design..
    Security Defaults ask MFA for (not administrator) users only WHEN NECESSARY.. No Idea how the AI from Microsoft decides if it is necessary to confirm MFA or not..
    see: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

    Here a good article I have found on internet:
    https://diligex.com/2021/01/are-microsoft-365-azure-security-defaults-sufficient/

    I hope this will help.

    We are going to enable "Per-User MFA" in addition to "Security Defaults". This way it is less confusing and people get asked after configured days and new devices again.

    Regards,
    Norman

    0 comments