Azure AD: Reasons for MFA prompts
Azure AD and Office 365 provide several options to configure multi-factor authentication (MFA). This can result in end-users being prompted for multi-factor authentication, although the configuration may give a different impression. Fewer multi-factor authentications (e.g. risk based or app specific) can significantly increase user acceptance, but misconfigurations can result in the end user always being forced into multi-factor authentication.
The following is a list of the various configuration points that can lead to multi-factor authentication prompts.
TL;DR
- Check standard MFA administration portal
- Check conditional access policies / what if tool
- Check Security Defaults
- Check PIM roles
- Check user sign-in risk and identity protection configuration
- Check on-premises configuration
MFA Portal
This is the standard MFA administration portal to which the O365 admin portal links. Without premium features or federation this is the portal to configure multi-factor authentication.
When using risk based or application specific MFA, the multi-factor auth status in this portal should be set to disabled.
Caution: When you deactivate MFA for a user here, the configured MFA options of the user are reset and the user has to go through the registration again. If the deactivation is performed via PowerShell, this can be prevented.
Conditional access
Conditional access provides a ‘Require multi-factor authentication’ access control option. Check your policies and if required use the ‘what if’ tool for a specific user.
Privileged identity management (PIM)
Privileged identity management roles can require multi-factor authentication for role activation. By default this is required for several highly privileged roles and can be activated for additional roles.
Information: If a conditional access policy is configured that requires multi-factor authentication for a particular role, it will not be applied if the role is assigned ‘eligible’ via PIM and not enabled.
Information: If a role for PIM activation requires multi-factor authentication, but is permanently assigned, this does not result in multi-factor authentication being required.
Identity Protection — Sign-in risk policy
Identity protection offers a sign-in risk policy which can prompt for multi-factor authentication if a risk event is detected. For a specific user you can check the Users flagged for risk blade.
On-premises configuration
Depending on the configured authentication method of the tenant, the used federation (e.g. ADFS or PingFederate) can prompt for multi-factor authentications.
It is also possible that an on-premises Azure MFA Server installation exists or that the Azure MFA NPS extension is used.
Something missing? Let me know.
