Azure AD users and MFA

I ran into this (self)embarassing situation at work today wherein users accessing an app we registered against Azure AD were being prompted for 2FA registration even though they were accessing it internally. Thing is I was involved in the setting up of our 2FA policies but I have a sieve like memory and keep forgetting what I have done (or maybe I am just tired, I dunno!). Time to make a blog post for my future self.

First off, if you want to enforce MFA you can do it via Conditional Access. Apply a policy to all users that require them to use MFA. This doesn’t actually enforce that they register for MFA though the first time they login – so that’s the bit we are interested in here. In my case the only Conditional Access policies we had were about MFA being required when accessing externally; so no Conditional Policies were kicking in.

If you have a P2 license (like we did) the place to turn on MFA registration is under Azure AD > Security > Identity Protection > MFA Registration Policy.

We have it set to “Off”, so it’s not actually in effect.

On another note, in the same place there’s policies to block Users at risk or Sign-ins at risk. Again, this is a P2 feature but you can do the same via Conditional Access.

So the question was where is this MFA registration kicking in? And the answer for that is under Azure AD > Password Reset > Registration.

That’s why my users were being asked to register for MFA! At the back of my head I know this but somehow when the time came (a sort of Karna situation, if I might indulge in some Hindu mythology) :)

In addition under Azure AD > User Settings > manage user feature preview settings I had the following enabled:

This way users could do both SSPR (Self Service Password Reset) and MFA registration at the same time – which is something we wanted.

To make matters worse  had this “smart” idea that I could whitelist this application to not have MFA prompted and so made a Conditional Access policy that said any access to this application should be granted as long as it’s from an Azure AD Hybrid joined machine (couldn’t use Trusted Locations as some users were going via VPN and having local Internet breakout). Which was a silly idea if I had taken a moment to think about because requiring Azure AD Hybrid joined makes things worse! That requires you to use Chrome with the Windows extension, or the new Edge with you signed in to it… and so while such a policy is fine for an app like Teams it blocks access to app for pretty much everyone in the firm! Dumb, eh? Yeah.