We are using CA policy to enforce MFA on users.
For some specific users, we need to disable MFA. We have done that by adding does users to the exclude list under users.
We are still getting MFA prompts on does excluded users, when they login.
What are we missing in our configuration?
We are using the following configuration:
AAD -> Properties -> Manage security defaults -> Enable security defaults: No
AAD -> Password reset -> Self service password reset enabled: None
AAD -> Security -> Conditional Access -> Policies: 3 policies with MFA configured -> Users -> User added to Exclude, as Users and Groups
All users in the tenant, are disabled in admin center, Users -> Active users -> Multi facto authentication -> MFA status: Disabled
So I can't see why my selected users, is still getting the MFA prompt when they try to logon?
Any help would be appreciated.
I tried to create one Conditional Access Policy in the Azure AD for enabling MFA for specific users and excluding others. Along with the conditional access policy, I also configured the MFA authentication registration policy.
Security Defaults set to - No
Conditional Access Policy MFA Include User:-
Exclude user :-
Add Azure Portal in the apps:-
Require MFA:-
Enable Policy set to On
Created Conditional Access Policy successfully like below:-
Tried logging in with spuser who was included in the Policy and got an MFA prompt like below:-
Tried logging in with usersid who was excluded from the Policy and did not receive any MFA prompt like below:-
Signed in successfully:-
Make sure you have the below settings configured for MFA Registration Policy in Azure AD identity Protection. If MFA is not needed you need to exclude the User from this Policy.
Go to > Azure Portal > Azure AD > Security > Identity Protection > MFA registration policy > Assignments > Users > If all users are included > Exclude the specific user > Enforce Policy > On > Save
Also, Validate if there's any other Azure Policy added to the excluded users that is forcing MFA. Also, Check if the MFA is not applied to All Users including excluded ones.
Reference:-
A user is excluded in conditional access policy but it is still applied - Microsoft Q&A By Amanpreetsingh-MSFT
Related
We want to achieve Multi-Factor-Authentication on a per-user-basis using Azure Active Directory B2C. So every user can choose if he/she is prompted for MFA or not.
This feature used to be only available for Azure Active Directory but not for Azure Active Directory B2C. The only way to achieve this was to use Custom Policies. But this is a route we would like to avoid at any cost.
So recently we figured that it's possible to enable MFA conditionally by enforcing a Conditional Access Policy.
We created a Conditional Access Policy and selected only certain users (for which we would like MFA to be active).
However, no matter what we configure in this Conditional Access Policy, it just doesn't make any difference. The only setting which shows any effect is the property "Multifactor authentication -> MFA enforcement" in the User Flow.
Is this just bad UI/UX in the Azure Portal and configuring a Conditional Access Policy for B2C tenants doesn't do anything or would it be possible to use Conditional Access Policies to configure MFA for certain users only in a Azure Active Directory B2C tenant and we were just using it wrong?
*I tried to reproduce the same in my environment to enable Multi-Factor Authentication on Azure AD B2C:
I have created Application for authenticating users with user flows on Azure AD B2C.
Azure Portal > Azure AD B2C > App registrations > New registration > Name ex: Any Name > Supported account types > Accounts in any identity provider or organizational directory (for authenticating users with user flows).
Create User-Flow with MFA enabled using Conditional Access Policy
Azure AD B2C > User flows > New User flows > Sign up and Sign in
Enable MFA with Conditional Access Policy
Create Conditional Access Policy per user like below.
Azure AD B2C > Conditional Access > New Policy.
Select the users who required MFA authentication.
MFA Grant
MFA will prompt only per selected users on Azure AD B2C.
Verification Page
If I tried login with user3 account which is not enabled MFA, it's not moving to MFA registration page.
Note: For testing I have enabled MFA only 2 accounts. User1 and User2.
Deployed a MFA conditional access policy through Azure AD. The policy I deployed is only providing (1) sign-in option for the user I'm testing this policy with and is failing to provide alternative sign-in verification methods (SMS, OTP, etc.) during the sign-in event. Confirmed the remember trusted device portion of the condition of the policy is applying correctly which has been set for 90 days.
Screenshots attached of expected results v. actual results.
Expected results
Actual results
User Level:
Account is MFA compatible
Within conditional policy scope
Has multiple verification methods assigned (Authenticator, Email + Phone) - currently only defaults to primary.
Conditional Access Policy Level
-Access control: Require Authentication strength enabled w Auth method to check for .
-Attempted "Require multifactor authentication" option under policy - results in the same.
Multifactor Authencation Service settings
Verification options have been enabled
Remember trusted device enabled and applying to Conditional Access policy (90 days)
Screenshot below for reference. 'test' under trusted IP put for privacy and not applied to policy
Azure AD Tenant Settings
Tenant security default settings are disabled
Auth Strength Method
Conditional Policy linked to Auth Strength
MFA Global Settings - 'test'
The "Sign in another way" link is only hidden from the UX if only one proof is returned from the Evolved Security Token Service (eSTS) server.
You mention that the user has Authenticator, Email, and Phone set up as additional verification options. According to the documentation, the email address option is only used for SSPR, so that could definitely be part of the issue since it would not count as a secondary form of authentication in this scenario. Also, according to that same documentation, voice call can only be set up as secondary authentication and not primary. From the guide:
If the user has additional verification options set other than the Email option and this still is not working, it would be helpful to see a screenshot of your configuration to verify whether this is an unknown bug or an issue with the setup.
I am using AzureAD. And I am implementing MFA.
I know that if the user ID and password login fails a certain number of times, it locks me out.
However, repeated failures in MFA after passing user ID and password authentication will not lock out the user.
Repeated failures on the MFA screen will return you to the initial login screen.
Is this a specification?
If it is possible to lock out even with MFA, please let me know how.
Yes, lockout feature is available in Azure AD MFA. Please note that this feature is applied only when the users use PIN code for the MFA prompt.
In order to configure this feature, you need administrator role.
Based on the number of failure trials you provided in settings, account lockout happens respectively.
To configure this feature, please follow below steps:
Go to Azure Portal -> Azure Active Directory -> Security -> Multifactor authentication -> Account lockout
In the above fields, enter the number based on your requirement and Save.
Like this, you can configure lockout feature in Azure AD MFA.
Make sure to use PIN for MFA authentication.
Complete credits to below Microsoft Doc:
Configure Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra | Microsoft Docs
In my azure environment under compliance i am getting this as incompliance. I tried navigating to MFA section but could not figure it out.
"mfa should be enabled accounts with write permissions on your subscription"
I am not sure how to enable multi factor authentication for write permissions.
How I can fix this ?
"mfa should be enabled accounts with write permissions on your subscription"
I am not sure how to enable multi factor authentication for write permissions
As we have several ways to enable MFA, one of them we can make use of conditional access policy.
Below are the common steps to enable MFA
After login to the Azure portal as an administrator (Global/Security)
Select Azure Active Directory -> Security -> Conditional Access
Select New Policy
Select Users & Groups from Assignments
From here you can select the various options based on your requirement either it's for write permissions or owner permissions.
Below is the screenshot from Azure Portal:
As #Tim Beasley given the complete process here to Enable MFA for write permissions.
We have a federation between with our ADFS and the other company Azure AD using the "Claim Provider Trusts". We use the Azure AD to perform the authentication, but our ADFS/AD is sending some claims to our "Relying Party Trusts".
The problem I'm facing is if a user is disabled/expired in our local AD, it is still possible to authenticate and access the applications, because the user is not disabled/expired in the Azure AD. I can't manage the Azure AD and it is a valid situation where the user is disabled/expired in our AD, but still working on the Azure AD.
How can I figure this out to prevent disabled/expired user from my local AD to access my apps?
Thanks!
In Azure AD you need to go to the user's profile and block the user's sign in under the user's profile > Edit > Settings
You do need to have at least the User Administrator role in Azure, so if you don't have access to the Azure AD you will need to ask an admin to do this.
You can also use Graph API to set accountEnabled to false.
PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version
Body:
{
"accountEnabled": false
}
Otherwise you can delete the user in Azure or ask the admin to do that.
For federation, the user should either be in your AD or in the other parties AAD.
(If you use AAD Connect, the user status is synched up to a shadow account).
Otherwise, you end up with this problem.
Is there a reason you have them in both?
Is there a way to match the AAD and the AD user?
If so, you can have a claims rule to get the status of the matching AD user and then deny access if disabled.
Update
You should read up on AAD Connect. It has filters e.g. groups so you can control who is synched up. Once that's working, if they are disabled in AD, then they will be disabled in AAD as well.
You should also look at the application report as it shows apps that can easily be moved to AAD and provides scripts to do so. There's a number of tools.
You could use the claims rules to find the enabled status of the user and then set a claim if disabled and then use the Access Contol Policies tab to deny access if this claim exists.