Advice on how to test MFA enabled using "Security Defaults"

MH9642 1 Reputation point
2020-12-02T12:19:07.997+00:00

We have the "Security Defaults" enabled on our Azure AD tenant.

Some users have reported that they have never been prompted to authenticate their MS365/Teams/SharePoint logins using MFA. I'm not sure I believe this, but wish to verify that MFA is set up and functioning correctly.

To investigate, I asked several users to visit our SharePoint site in a new Chrome incognito window. When I do this myself, I'm always forced to login and authenticate using MFA. However, several users are not asked for MFA authentication when they do this.

I'm not sure if this indicates a problem with the MFA setup or whether my test method (i.e. assuming the incognito window should force MFA authentication) is flawed.

So my questions are:

  1. Should users be prompted to authenticate using MFA when using an incognito window?
  2. (if no to Q1) Is there a way to force MFA authentication for a user? (Or is there another way to test MFA?).
  3. Is it possible to view the MFA settings of individual users?

(NB: I'm aware of the page https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx, but I understand that the settings on this page are not used for MFA enabled using "Security Defaults" and "Multi-Factor Auth Status" on this pages is displayed as "Disabled" for all users - which I know is not true.)

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,383 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points
    2020-12-02T18:32:56.577+00:00

    Hello @markholloway-4253

    1. Yes they should be prompted for MFA regardless of the browser or mode.
    2. Once security defaults is enabled MFA it should be enforced for all users and for Microsoft 365 applications.
    3. You can use the Get-MgUserAuthenticationPhoneMethod cmdlet as described here.

    Begin that said I've replicated your issue which seems to affect users who had MFA enabled previously to enabling Security Default. I will reach within the Azure AD team about this and come back to you.

    0 comments
  2. MH9642 1 Reputation point
    2020-12-04T13:17:36.507+00:00

    Thanks for this anonymous user-msft.

    It's definitely not behaving as you say it should in #1.

    Also, we were not using MFA before enabling Security Defaults, so I don't think it's related to previous user MFA settings in our case.

    I was able to pull the user MFA settings using powershell MSOnline / Get-MsolUser. (I don't think the Get-MgUserAuthenticationPhoneMethod cmdlet can be used with Azure AD?). 

    Get-MsolUser -All| Select UserPrincipalName, DisplayName, @{n=”Status”; e={$_.StrongAuthenticationRequirements.State}}, @{n=”Methods”; e={($_.StrongAuthenticationMethods).MethodType}}, @{n=”Chosen Method”; e={($_.StrongAuthenticationMethods).IsDefault}} | Out-GridView

    All users except two have authentication methods = {PhoneAppOTP, PhoneAppNotification} i.e. the authenticator app, as expected.
    Of the other users, one has {OneWaySMS, TwoWayVoiceMobile} and the other has {OneWaySMS, TwoWayVoiceMobile, PhoneAppOTP, PhoneAppNotification}. I though that the Security Defaults only support MFA using the authentication app - not SMS or voice. You can only choose the authentication app methods when registering MFA. So it's strange that these two users have SMS and voice authentication enabled and even stranger that one user doesn't have the authentication app methods enabled. This seems a bit of a mess!! However this is separate from my original issue... several users with {PhoneAppOTP, PhoneAppNotification} are not being prompted for MFA.

    Thanks for raising this with the Azure AD team. I'll raise a support ticket about this as well.