Reputation: 1574
Azure AD MFA is not deterministic
I am using Azure services and Azure AD Free (my personal account). I have setup a tenant and I am Global Admin. I have enabled Security Default in the tenant. Hence, I assume MFA is enabled for all the tenant's users. When I signin to Azure Portal with Global Admin sometime I get not prompted for MFA; maybe is this because the browser send a cookie? Or maybe because MFA is not always triggered? Also, if I open an incognito window I get prompted for a code, received via email. My question here is why email? As per MFA AAD doc the email method is NOT an MFA channel!
Upvotes: 0
Views: 702
Answers (1)
Reputation: 22412
Please check if below are the reasons behind not getting the prompt for second verification even MFA is enabled:
- Please check if you are a member of any exception group. To avoid lockout situation, Microsoft mostly suggest excluding global admin account while enabling MFA. If you done like that, remove your account from exception group.
- There is also a possibility where you selected checkbox saying “Stay signed in” while logging into your account. Then it will treat your device as remembered device and suspends enabling MFA. Also please check below screenshot whether you have enabled this option (Remember MFA on trusted device). If you enabled that, you won’t get prompts until the duration of days you have given expires.
To remove all those sessions, enable “Revoke MFA sessions” which clears all remembered sessions history and asks for second verification.
As you already mentioned, MFA code won’t be sent via email.
From this Microsoft Doc,
Email address is only used for Self-Service Password Reset (SSPR) not for authentication.
There is also a possibility where your password is expired and it’s sending you a code to your email to reset it as you have given it as recovery option.
NOTE:
As you are enabling Security Defaults, please note that you won't be getting MFA prompts every time. Azure AD decides when a user will be prompted for MFA, based on factors such as location, device, role and task.
For suppose, if you are accessing from different location and seemed suspicious means, definitely you will get prompt otherwise you won't. If you need MFA prompts in particular, make use of Conditional access policies that need Azure AD Premium licenses.
Upvotes: 1
Related Questions
- Azure AD B2C MFA enforcement doesn't work
- Azure Active Directory Multi-Factor Authentication with Conditional Access Policy not working
- How do I force Azure AD MFA prompt for WInForms application logins?
- Azure Active Directory MFA
- MFA automatically enabled on Azure AD B2C tenant
- Enable Azure MFA by changing user state
- Azure Active Directory multi-factor check for authorization
- Azure AD SAML Inconsistency related to MFA Prompting
- Multi-Factor Authentcation when login to Windows 10 with Azure AD Account
- Cannot enable MFA on Azure Microsoft accounts