(Azure AD) MFA - Conditional Access : Additional Verification Options Missing In AD Sign In Event
Deployed a MFA conditional access policy through Azure AD. The policy I deployed is only providing (1) sign-in option for the user I'm testing this policy with and is failing to provide alternative sign-in verification methods (SMS, OTP, etc.) during the sign-in event. Confirmed the remember trusted device portion of the condition of the policy is applying correctly which has been set for 90 days.
Screenshots attached of expected results v. actual results.
User Level:
- Account is MFA compatible
- Within conditional policy scope
- Has multiple verification methods assigned (Authenticator, Email + Phone) - currently only defaults to primary.
Conditional Access Policy Level -Access control: Require Authentication strength enabled w Auth method to check for . -Attempted "Require multifactor authentication" option under policy - results in the same.
Multifactor Authencation Service settings
- Verification options have been enabled
- Remember trusted device enabled and applying to Conditional Access policy (90 days)
- Screenshot below for reference. 'test' under trusted IP put for privacy and not applied to policy
Azure AD Tenant Settings
- Tenant security default settings are disabled
The "Sign in another way" link is only hidden from the UX if only one proof is returned from the Evolved Security Token Service (eSTS) server.
You mention that the user has Authenticator, Email, and Phone set up as additional verification options. According to the documentation, the email address option is only used for SSPR, so that could definitely be part of the issue since it would not count as a secondary form of authentication in this scenario. Also, according to that same documentation, voice call can only be set up as secondary authentication and not primary. From the guide:
If the user has additional verification options set other than the Email option and this still is not working, it would be helpful to see a screenshot of your configuration to verify whether this is an unknown bug or an issue with the setup.
- What is a difference between elastic computing and serverless computing?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?
- Update VCore by database in power shell
- While scanning a simple key, could not find expected ':'. Syntax error in azure-pipeline.yaml
- I'm not able to call the Azure document intelligence api using the latest api version "2024-02-29-preview"
- AzureWebJobsStorage Managed Identity not working
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?
- Summarization of docx or pdf document
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages