Search code examples
azureauthenticationmulti-factor-authentication

Getting MFA prompt on user, with exclusion on conditional access policy

We are using CA policy to enforce MFA on users.
For some specific users, we need to disable MFA. We have done that by adding does users to the exclude list under users.
We are still getting MFA prompts on does excluded users, when they login.

What are we missing in our configuration?

We are using the following configuration:

  1. AAD -> Properties -> Manage security defaults -> Enable security defaults: No
  2. AAD -> Password reset -> Self service password reset enabled: None
  3. AAD -> Security -> Conditional Access -> Policies: 3 policies with MFA configured -> Users -> User added to Exclude, as Users and Groups
  4. All users in the tenant, are disabled in admin center, Users -> Active users -> Multi facto authentication -> MFA status: Disabled
  5. So I can't see why my selected users, is still getting the MFA prompt when they try to logon?

Any help would be appreciated.

Solution

  • I tried to create one Conditional Access Policy in the Azure AD for enabling MFA for specific users and excluding others. Along with the conditional access policy, I also configured the MFA authentication registration policy.

    Security Defaults set to - No

    enter image description here

    Conditional Access Policy MFA Include User:-

    enter image description here

    Exclude user :-

    enter image description here

    Add Azure Portal in the apps:-

    enter image description here

    Require MFA:-

    enter image description here

    Enable Policy set to On

    enter image description here

    Created Conditional Access Policy successfully like below:-

    enter image description here

    Tried logging in with spuser who was included in the Policy and got an MFA prompt like below:-

    enter image description here

    Tried logging in with usersid who was excluded from the Policy and did not receive any MFA prompt like below:-

    enter image description here

    enter image description here

    Signed in successfully:-

    enter image description here

    Make sure you have the below settings configured for MFA Registration Policy in Azure AD identity Protection. If MFA is not needed you need to exclude the User from this Policy.

    Go to > Azure Portal > Azure AD > Security > Identity Protection > MFA registration policy > Assignments > Users > If all users are included > Exclude the specific user > Enforce Policy > On > Save

    enter image description here

    Also, Validate if there's any other Azure Policy added to the excluded users that is forcing MFA. Also, Check if the MFA is not applied to All Users including excluded ones.

    Reference:-

    A user is excluded in conditional access policy but it is still applied - Microsoft Q&A By Amanpreetsingh-MSFT