Azure AD B2C MFA enforcement doesn't work
We want to have some users required to use MFA and some users that can log without. For this we have two groups "MFA Required" and "MFA Not Required". When we want to active MFA for a user, we simply move them from one group to the other. We have a conditional access that enforces the MFA.
The includes/excludes:
The grant:
The User flow:
The issue is that now I get the MFA screen for all users. The "MFA Enforcement" even says "Conditional delegates the MFA decision to conditional access policies." when hovering above the "i". When I check the option "Enforce conditional access policies" in the User Flow nothing changes.
What is going on here? I feel I'm missing something, but I can't find anything online.
EDIT: I checked the audit logs in azure and when I log in with the user from "MFA Required" I see this:
And for the user from "MFA Not Required" I see this:
I still get the MFA screen for both though.
RukminiMr-MT answer helped me gather a lot of information.
I had contacts with people from Microsoft and the thing is that when you use the Authenticator app as MFA option every user will have to register their authenticator app as MFA solution the next/first time they log in (after the change).
After they registered it for the first time they'll never get the MFA screen again. It's just a one time thing. The second time they log in, only the users from my MFA list get the MFA screen.
Check the date of this answer, since there are items in preview everything I just said might already have changed.
- How can I sign a JWT to exchange an access token from azure active directory?
- Azure Web App EasyAuth callback throws error
- "AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'PowerBI'. Send an interactive authorization request
- Azure Correlation Id and Request ID
- PowerShell Graph SDK to retrieve Azure AD / Entra B2C Resource Group Name
- Users and Shared mailboxes within one Excel file using powershell
- Questions on microsoft azure portal app registration
- How can I pass custom claims delivered via assertion into claims returned of access token?
- how can I force users to use two factor authentication with MSAL angular?
- Powershell: Get users from dynamic group in EntraID
- I cannot send mail using Azure OAuth with Nodemailer
- PlayFab integration with Azure AD B2C as OpenID Connect
- Sharepoint online 'Unsupported app only token.'
- Can't get events with open extension in Microsoft Graph API
- Provide SSL certificate for internal Website
- Getting "Unable to complete authentication for user due to looping logins" while making an api call through postman to azure
- azure ad difference between group based and role based authorization
- Powershell EntraID - Get display names of user groups
- API Access to SharePoint Files/Lists via SharePoint REST, API & MSAL, using deamon/service account
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Id token in microsoft with ./Default scope
- Unattended authentication using Azure Active Directory- UserCredential not accepting username and password
- Assigning Roles to a Group and scoping that to an Admin Unit programatically in Entra
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)