What are the services/settings that can cause MFA/MFA Registration prompt?

Question

When getting an unexpected MFA prompt or MFA Registration prompt, which are the services or settings that can be checked to identify the cause of it?

---

Note: This question is being posted as part of an internal effort at Microsoft to share emerging content with the community. A Microsoft employee will be following up with an answer shortly. If you have feedback regarding this issue, we encourage the community to start a discussion in the comments.

Answer 1

Below is the list of services/setting that can contribute to unexpected MFA prompt:

1. Conditional Access Policy (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa)
2. Azure AD Identity Protection (https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy)
3. Security Defaults (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)
4. Per-user MFA (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates)
5. Intune device enrollment (https://learn.microsoft.com/en-us/mem/intune/enrollment/multi-factor-authentication)
6. On-premises ADFS server (https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa
7. MFA to join devices to Azure AD (https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings)

Answer 2

and... Self-service Password Reset (SSPR). Unfortunately this doesn't allow for exclusions when set to ALL, so would need to create a Dynamic security group, include all accounts and exclude the individual ones required.