Reputation: 460
Azure AD B2C MFA enforcement doesn't work
We want to have some users required to use MFA and some users that can log without. For this we have two groups "MFA Required" and "MFA Not Required". When we want to active MFA for a user, we simply move them from one group to the other. We have a conditional access that enforces the MFA.
The includes/excludes:
The grant:
The User flow:
The issue is that now I get the MFA screen for all users. The "MFA Enforcement" even says "Conditional delegates the MFA decision to conditional access policies." when hovering above the "i". When I check the option "Enforce conditional access policies" in the User Flow nothing changes.
What is going on here? I feel I'm missing something, but I can't find anything online.
EDIT: I checked the audit logs in azure and when I log in with the user from "MFA Required" I see this:
And for the user from "MFA Not Required" I see this:
I still get the MFA screen for both though.
Upvotes: 0
Views: 1387
Answers (3)
Reputation: 76
Another solution is to use an extra User Flow for login without MFA conditions set.
Requirements:
- UserFlow1 with ClientId1: with conditional MFA requirements (as shown in the first screenshot in this topic)
- UserFlow2 with ClientId2: without MFA (no enforcement and no conditional)
- Your application has a list of users with knowledge of MFA setting (yes/no)
- You need an inital login page (only contains e-mail address)
Steps to implement:
- User enters e-mail address
- check if MFA is required in your application
- Redirect to UserFlow1 or UserFlow2 with [email protected] in the url for convenience
- Validate claims; the property tfp contains the flow used for log in, this must match the flow from step 2.
Update; you need two seperate app registrations with seperate ClientId's to get this working.
Upvotes: 0
Reputation: 460
RukminiMr-MT answer helped me gather a lot of information.
I had contacts with people from Microsoft and the thing is that when you use the Authenticator app as MFA option every user will have to register their authenticator app as MFA solution the next/first time they log in (after the change).
After they registered it for the first time they'll never get the MFA screen again. It's just a one time thing. The second time they log in, only the users from my MFA list get the MFA screen.
Check the date of this answer, since there are items in preview everything I just said might already have changed.
Upvotes: 0
Reputation: 15659
The reason behind getting MFA screen for all users may be due to below:
- Check whether you have enabled per-user MFA to the users.
- Please note that, if you are conditional access policies you should not enable/enforce per-user Azure Ad MFA.
- If you have enabled that option, the user might get MFA screen even they are excluded via conditional access policies.
- Check whether you have enabled security defaults option. If enabled, make sure to disable it.
Please check whether Self-Service Password Reset is enabled. Make sure to disable it.
For more in detail, please refer below links:
Enable per-user Multi-Factor Authentication - Azure Active Directory | Microsoft Docs
Disable Azure AD MFA Interrupt Mode for a group of users - Stack Overflow
Upvotes: 1
Related Questions
- Azure Active Directory Multi-Factor Authentication with Conditional Access Policy not working
- Configuring Azure B2C AD to use Authenticator app
- azure-ad-b2c - Question about B2C+MFA setup
- MFA automatically enabled on Azure AD B2C tenant
- AAD B2C Conditional MFA - Don't Enroll
- How to disable MFA during sign-in in Azure AD B2C
- Azure AD B2C Authentication Firewall Issues
- Azure AD B2C MFA and Trusted Devices
- Azure B2C MFA at User level and Sign-In Policy level
- Use MFA with Azure AD B2C