Published in


Azure AD: Reasons for MFA prompts

Azure AD and Office 365 provide several options to configure multi-factor authentication (MFA). This can result in end-users being prompted for multi-factor authentication, although the configuration may give a different impression. Fewer multi-factor authentications (e.g. risk based or app specific) can significantly increase user acceptance, but misconfigurations can result in the end user always being forced into multi-factor authentication.

The following is a list of the various configuration points that can lead to multi-factor authentication prompts.


  1. Check standard MFA administration portal
  2. Check conditional access policies / what if tool
  3. Check Security Defaults
  4. Check PIM roles
  5. Check user sign-in risk and identity protection configuration
  6. Check on-premises configuration

MFA Portal


This is the standard MFA administration portal to which the O365 admin portal links. Without premium features or federation this is the portal to configure multi-factor authentication.

When using risk based or application specific MFA, the multi-factor auth status in this portal should be set to disabled.

Caution: When you deactivate MFA for a user here, the configured MFA options of the user are reset and the user has to go through the registration again. If the deactivation is performed via PowerShell, this can be prevented.

Conditional access


Conditional access provides a ‘Require multi-factor authentication’ access control option. Check your policies and if required use the ‘what if’ tool for a specific user.

Privileged identity management (PIM)


Privileged identity management roles can require multi-factor authentication for role activation. By default this is required for several highly privileged roles and can be activated for additional roles.

Information: If a conditional access policy is configured that requires multi-factor authentication for a particular role, it will not be applied if the role is assigned ‘eligible’ via PIM and not enabled.

Information: If a role for PIM activation requires multi-factor authentication, but is permanently assigned, this does not result in multi-factor authentication being required.

Identity Protection — Sign-in risk policy


Identity protection offers a sign-in risk policy which can prompt for multi-factor authentication if a risk event is detected. For a specific user you can check the Users flagged for risk blade.

On-premises configuration

Depending on the configured authentication method of the tenant, the used federation (e.g. ADFS or PingFederate) can prompt for multi-factor authentications.

It is also possible that an on-premises Azure MFA Server installation exists or that the Azure MFA NPS extension is used.

Something missing? Let me know.




Identity all the things

Recommended from Medium

What is Ransomware ? — How Ransomware Works — Exploitbyte

{UPDATE} FastBall 2 F. Hack Free Resources Generator

Report IAPP Privacy Intensive: UK 2019, Wed, 13 March

{UPDATE} F18 Flight Simulator Hack Free Resources Generator

Security is another dimension of quality

Numeracle’s STIR/SHAKEN Implementation Report Part III

{UPDATE} PreFlop Poker Trainer Hack Free Resources Generator

Top 10 KYC & AML Service Providers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alexander Filipin

Alexander Filipin

More from Medium

Terraform doesn’t wanna know

The cat inside in the box

Security Implications of Cloud Computing

Custom Policies in Checkov