Azure AD B2C MFA enforcement doesn't work
We want to have some users required to use MFA and some users that can log without. For this we have two groups "MFA Required" and "MFA Not Required". When we want to active MFA for a user, we simply move them from one group to the other. We have a conditional access that enforces the MFA.
The includes/excludes:
The grant:
The User flow:
The issue is that now I get the MFA screen for all users. The "MFA Enforcement" even says "Conditional delegates the MFA decision to conditional access policies." when hovering above the "i". When I check the option "Enforce conditional access policies" in the User Flow nothing changes.
What is going on here? I feel I'm missing something, but I can't find anything online.
EDIT: I checked the audit logs in azure and when I log in with the user from "MFA Required" I see this:
And for the user from "MFA Not Required" I see this:
I still get the MFA screen for both though.
RukminiMr-MT answer helped me gather a lot of information.
I had contacts with people from Microsoft and the thing is that when you use the Authenticator app as MFA option every user will have to register their authenticator app as MFA solution the next/first time they log in (after the change).
After they registered it for the first time they'll never get the MFA screen again. It's just a one time thing. The second time they log in, only the users from my MFA list get the MFA screen.
Check the date of this answer, since there are items in preview everything I just said might already have changed.
- Get all user properties from Microsoft graph
- ASP.NET Azure AD / Entra Authentication - App roles in token, but not being assigned to principal
- How to do azure single sign on with next.js 14 and App Router
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered
- Azure AD permissions for MS Forms
- ASP.NET Core app running on IIS gives Http Error 401.2-Unauthorize
- Azure Active Directory skip account selection on logout
- Azure active directory - Get access token using Azure CLI
- Azure B2C / WPF - Handling a failed MFA verification flow
- How do I display Job Title in my Next Auth app
- Login failed for user identified principal
- What does "grant admin consent" button do in azure Azure Active Directory application?
- Azure AD Graph API or Powershell Graph: Gathering all the assigned roles that are associated to a group
- Azure AD user unable to connect to Azure SQL Error: 18456,State:1,Class:14
- Is there a way to add the sam_account_name of a user in the id_token claims?
- No users to select from the list in Azure Role assignments using Resource Group Owner
- Azure pipelines cannot connect to Azure SQL via AD/Entra using a custom console application