I am using Azure services and Azure AD Free (my personal account).
I have setup a tenant and I am Global Admin. I have enabled Security Default in the tenant. Hence, I assume MFA is enabled for all the tenant's users.
When I signin to Azure Portal with Global Admin sometime I get not prompted for MFA; maybe is this because the browser send a cookie? Or maybe because MFA is not always triggered?
Also, if I open an incognito window I get prompted for a code, received via email. My question here is why email? As per MFA AAD doc the email method is NOT an MFA channel!
Please check if below are the reasons behind not getting the prompt for second verification even MFA is enabled:
Please check if you are a member of any exception group. To avoid lockout situation, Microsoft mostly suggest excluding global admin account while enabling MFA. If you done like that, remove your account from exception group.
There is also a possibility where you selected checkbox saying “Stay signed in” while logging into your account. Then it will treat your device as remembered device and suspends enabling MFA. Also please check below screenshot whether you have enabled this option (Remember MFA on trusted device). If you enabled that, you won’t get prompts until the duration of days you have given expires.
To remove all those sessions, enable “Revoke MFA sessions” which clears all remembered sessions history and asks for second verification.
As you already mentioned, MFA code won’t be sent via email.
From this Microsoft Doc,
Email address is only used for Self-Service Password Reset (SSPR) not
for authentication.
There is also a possibility where your password is expired and it’s sending you a code to your email to reset it as you have given it as recovery option.
NOTE:
As you are enabling Security Defaults, please note that you won't be getting MFA prompts every time. Azure AD decides when a user will be prompted for MFA, based on factors such as location, device, role and task.
For suppose, if you are accessing from different location and seemed suspicious means, definitely you will get prompt otherwise you won't. If you need MFA prompts in particular, make use of Conditional access policies that need Azure AD Premium licenses.
Related
For our B2C Tennant we want to let our customers make use of the Microsoft Authenticator app. When doing research, we noticed that it was not possible to add the Authenticator App for existing users without disabling phone/text message authentication.
This is not an acceptable situation for us since that means that someone with customer credentials can take over the enrolment flow.
A MS engineer suggested the following:
The desired situation should be possible with a “Registration
campaign” -
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/RegistrationCampaign
Users will go through their regular sign-in, perform multifactor
authentication as usual, and then be prompted to set up Microsoft
Authenticator.
However, we enabled this option as described in the Documentation, but after an existing user signs in no Authenticator App Flow is started.
Does someone have experience how we can make this work?
As far as I know, even after enabling MFA if existing users don't receive authenticator app approval, please try below steps:
There is a chance of where your users selected “Stay signed in” while logging into their accounts. By doing this their devices will be treated as remembered device that suspends enabling MFA.
While enabling MFA if you set Remember MFA on trusted device , then the user won't get prompts until the duration expires
To resolve the issue, try clearing all old sessions history, by enabling “Revoke MFA sessions”
If the issue still persists, try enabling Re-register MFA, that asks the users to set up a new MFA authentication method when they sign-in.
For more reference, please find the below links :
Enable multifactor authentication in Azure Active Directory B2C
Manage user authentication options
Now I have configured B2C tenant with Enterprise app with MFA with "User flow", confirmation with email.
Everything is ok, but we need to use this Mfa just once per day, so when users will log in in the morning they have to use their login, password, and email to get a verification code just for the first time, and the rest of the day when they log out and log in again they should use just login (username) and pass.
So, how to configure MFA for this?
I saw "Sign in frequency" in conditional access settings, but the documentation wasn't much helpful.
Any advice will be helpful, thank you.
we can manage authentication sessions with azure ad conditional access by configuring below options.
Configure sign-in frequency
Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. You can set the value from 1 hour to 365 days.
Configure persistent browser session
This setting allows users to remain signed in after closing and reopening their browser window. We support two new settings: always persist or never persist. In both cases, you’ll make the decision on behalf of your users and they won’t see a “Stay signed in?” prompt.
You can find more information here as well as steps to configure sign-in frequency.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency-and-multi-factor-authentication
We have received a requirement from client where they want MFA to be imposed mandatorily incase a user accesses certain sensitive applications. Ex., I login to myapps and am prompted for MFA and land on the desired page. On accessing a certain app from myapp I should be again prompted for MFA(irrespective of how long it has been since I logged in).
With conditional access policies, though I attach 'Require MFA' on those applications, it doesn't prompt for MFA if I am already logged in and have a session.
Any pointers as to how to achieve the intended functionality?
I don't think you can achieve this, if the session of the user is existing, it will not re-enforce the MFA auth.
So if you want the re-auth with MFA, you must need to clear the session, the closest way is to leverage the sign-in Frequency policy, but you can only set it to 1 hour at least, after one hour, the user will be prompted to sign in again. Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. If Remember MFA on trusted devices is enabled, be sure to disable it before using Sign-in frequency.
I'm using Office 365 Business Premium for my test. From a couple of days ago, I've gotten prompt for Authentication code (see below) after enter my password when I try to sign-in.
MFA prompt
It seems like MFA became enabled suddenly although I didn't anything such a configuration. I doubt my account is possibly violated.
Is there any way to recovery from this situation?
Thanks
Kaypyosh
If you lost your phone you will need to reach out to your administrator to reset your information.
The Authenticator app is designed so that you have to prove your identity, so it will require the admin reset if Authenticator MFA is enforced.
If you are the only global admin on the tenant then you can reach the Azure data protection team to get this resolved.
Azure Data Protection number (866-807-5850)
However, if there is a second global admin you will need to reach out to that person to reset the settings. Please refer to this similar one
Only the global admin is able to set up or modify MFA.
You can turn off MFA by following the steps:
1.Go to the Office 365 admin center.
2.Go to Users > Active users.
3.Choose More > Setup Azure multi-factor auth.
4.Check your account.
5.Click Disable on the right.
Please check here
I am trying to switch directories in Azure but it prompts me to approve the request on the authenticator application. However, I have removed that entry from the authenticator application.
When i try to sign a different way it still prompts me to use the authenticator app
It seems that you did not set a phone number at the last step when you added the authenticator.
So, just as #juunas mentioned in the comment, you need to contact other admins to reset your MFA settings from Azure portal:
You can set up your Authenticator again going to: https://aka.ms/mfasetup but you probably need to have your AAD administrator Require re-register MFA again since you wont be able to login there without the MFA if you are not already logged in.