question

MH9642 avatar image
0 Votes"
MH9642 asked AlfredoRevilla commented

Advice on how to test MFA enabled using "Security Defaults"

We have the "Security Defaults" enabled on our Azure AD tenant.

Some users have reported that they have never been prompted to authenticate their MS365/Teams/SharePoint logins using MFA. I'm not sure I believe this, but wish to verify that MFA is set up and functioning correctly.

To investigate, I asked several users to visit our SharePoint site in a new Chrome incognito window. When I do this myself, I'm always forced to login and authenticate using MFA. However, several users are not asked for MFA authentication when they do this.

I'm not sure if this indicates a problem with the MFA setup or whether my test method (i.e. assuming the incognito window should force MFA authentication) is flawed.

So my questions are:

  1. Should users be prompted to authenticate using MFA when using an incognito window?

  2. (if no to Q1) Is there a way to force MFA authentication for a user? (Or is there another way to test MFA?).

  3. Is it possible to view the MFA settings of individual users?

(NB: I'm aware of the page https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx, but I understand that the settings on this page are not used for MFA enabled using "Security Defaults" and "Multi-Factor Auth Status" on this pages is displayed as "Disabled" for all users - which I know is not true.)

Thanks

azure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered

Hello @markholloway-4253

  1. Yes they should be prompted for MFA regardless of the browser or mode.

  2. Once security defaults is enabled MFA it should be enforced for all users and for Microsoft 365 applications.

  3. You can use the Get-MgUserAuthenticationPhoneMethod cmdlet as described here.

Begin that said I've replicated your issue which seems to affect users who had MFA enabled previously to enabling Security Default. I will reach within the Azure AD team about this and come back to you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MH9642 avatar image
0 Votes"
MH9642 answered AlfredoRevilla commented

Thanks for this anonymous user-msft.

It's definitely not behaving as you say it should in #1.

Also, we were not using MFA before enabling Security Defaults, so I don't think it's related to previous user MFA settings in our case.

I was able to pull the user MFA settings using powershell MSOnline / Get-MsolUser. (I don't think the Get-MgUserAuthenticationPhoneMethod cmdlet can be used with Azure AD?).

 Get-MsolUser -All| Select UserPrincipalName, DisplayName, @{n=”Status”; e={$_.StrongAuthenticationRequirements.State}}, @{n=”Methods”; e={($_.StrongAuthenticationMethods).MethodType}}, @{n=”Chosen Method”; e={($_.StrongAuthenticationMethods).IsDefault}} | Out-GridView

All users except two have authentication methods = {PhoneAppOTP, PhoneAppNotification} i.e. the authenticator app, as expected.
Of the other users, one has {OneWaySMS, TwoWayVoiceMobile} and the other has {OneWaySMS, TwoWayVoiceMobile, PhoneAppOTP, PhoneAppNotification}. I though that the Security Defaults only support MFA using the authentication app - not SMS or voice. You can only choose the authentication app methods when registering MFA. So it's strange that these two users have SMS and voice authentication enabled and even stranger that one user doesn't have the authentication app methods enabled. This seems a bit of a mess!! However this is separate from my original issue... several users with {PhoneAppOTP, PhoneAppNotification} are not being prompted for MFA.

Thanks for raising this with the Azure AD team. I'll raise a support ticket about this as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The presence of Security Default non supported methods in some users could be evidence that MFA was enabled for them before Security Defaults. This could've been done using the referred page: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx. I will keep you updated.

0 Votes 0 ·
beze04 avatar image beze04 alfredorevilla-msft ·

Hello. Any updates on this? We have the same issue.

0 Votes 0 ·

@JamesTran-MSFT can you take a look to this one?

0 Votes 0 ·