![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 65%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJY%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
From what you described, the behavior you’re seeing is expected.
Registering an MFA method (for example, Microsoft Authenticator) does not automatically enforce MFA at sign-in. Authentication methods only make MFA available to the user; something must explicitly require it. Since you don’t have Security Defaults, Conditional Access, or per‑user MFA (legacy) enforcing MFA, that user can still sign in using single-factor authentication even though an MFA device is registered
Other users in your tenant are likely being prompted because they are covered by a policy (for example, Security Defaults, legacy per-user MFA, or an existing Conditional Access policy), while this specific user is not.
How to enforce MFA for all users
You have two supported options:
Option 1: Enable Security Defaults (recommended if you don’t use Conditional Access)
Security Defaults automatically require MFA for all users and admins and block legacy authentication. This is suitable if you don’t have complex access requirements or Entra ID P1/P2 licenses
https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults
Option 2: Create a Conditional Access policy (recommended for P1/P2 tenants)
If you have Microsoft Entra ID P1 or P2, the recommended approach is to create a Conditional Access policy that:
- Targets All users (exclude emergency/break-glass accounts)
- Targets All cloud apps
- Grants access Require multifactor authentication (or an MFA authentication strength)
This ensures every sign-in requires MFA, regardless of whether the user has already registered an MFA method.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength
Important note
Legacy per-user MFA is no longer recommended and is being retired. Microsoft’s guidance is to use Conditional Access or Security Defaults for consistent and future-proof MFA enforcement.
