Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
still waiting for support
Modification Entra CA policy for mfa causing users logged out
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 47%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUM%3C/text%3E%3C/svg%3E)
usman moavia
5
Reputation points
Hi, Recently, I have modified conditional access policy for internal users to require mfa i just excluded one users but after that users are keep on logging out which is also causing conditional access bypass alert on sentinel. I changed the CA policy again to setup sign in frequency to 30 days and checked the persistent browser session to always but it doesn't resolved my issues
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 54%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Michael Kirst 0 Reputation points2025-11-06T16:31:19.82+00:00 Hello @usman moavia ,
Unfortunately, the problem can be caused by various configurations.
It would be best if the setting could first be tested on one user and then on a small group.
Depending on which apps are still in use and which authentication methods are used here, this can lead to problems when “All Users” is used.
What about service accounts? These cannot use MFA.
Is the environment cloud-only or hybrid with a local AD?
What about Outlook on mobile devices, for example? Is MFA also required here? Or is someone or a tool possibly using a POP3 connector or IMAP in Exchange Online?
Are all users really logged out or just some?
Also interesting: how is the scope configured? All cloud apps? All admin portals? Or only certain ones?
Feel free to send me a PM with some screenshots that could help here.
Regards, Michael
-
usman moavia 5 Reputation points
2025-11-10T11:56:10.3866667+00:00 added relevant details @Michael Kirst
Sign in to comment
3 answers
Sort by: Most helpful
-
usman moavia 5 Reputation points
2025-11-07T11:03:00.6066667+00:00 I am considering a solution that may be causing problem i haven't tested yet.
If i just update stsrefreshtoken this will update the timestamp and will assign token according to current CA policy configuration. I believe as default sign in frequency by Microsoft is 90 days and modification were done like 2-3 weeks ago so the token assigned to users are old ones with previous configuration that maybe causing this problem. Lastly, i would re-register authentication methods for the users that are facing this problem.
Can you please review my proposed solution and validate if its good
-
usman moavia 5 Reputation points
2025-11-07T09:52:00.2866667+00:00 Hi,
first of all our environment i all cloud and we are using Entra for access control only we are not managing devices from here. Secondly MFA scope is set to All cloud apps, its for outlook aswell. I noticed most of the failures are triggering by non interactive attempts. Regarding users a subset of users are facing this problem causing Sentinel to trigger alert "Attempt to Bypass Conditional Acesss in Entra ID" and most common error is "["50078: Other MFA required in Azure AD"," MFA required in Azure AD"]"
Please help me out in this it is really getting frustrating because its almost three weeks i am hitting my head to resolve this
Here is screenshots for my CA policy: