question

SenhorDolas-2197 avatar image
1 Vote"
SenhorDolas-2197 asked SenhorDolas-2197 commented

MFA and SSPR - Account status not changing from Enabled to Enforced even after registration

Hey Everyone,

I have my users enabled for SSPR and Combined MFA/SSPR (AD Groups in Azure console) and MFA (MFA console)

They then login to a modern app and go thru the registration fine.

The problem is that on the MFA Console they are still showing as Enabled and does not change to Enforced.

From PowerShell I see that the user has Authentication Methods enrolled.

Is this expected because SSPR does not provide an App Password like normal MFA enrolment does?
Or could it be that the users registered for SSPR and then later they were enabled for MFA?

Thanks M


azure-ad-multi-factor-authenticationazure-security-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
2 Votes"
MarileeTurscak-MSFT answered SenhorDolas-2197 commented

It sounds like this is because the users had MFA re-enabled at some point after their initial registration, as you mentioned. The documentation says, "If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. The administrator must move the user directly to Enforced.:

I don't think it would be because the app password isn't created, since the documentation also says, "If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state."

This would indicate to me that as long as they either re-register or complete the registration when the MFA is initially enabled, the status should change to Enforced.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MarileeTurscak
I think I have the work flow for the scenario that I am in.

Scenario account MFA status is MFA Enforced:
- User is first time SSPR and MFA enabled
- User completes registration on web based modern auth app
- User is listed as SSPR Registered and MFA Enforced
- Powershell $user.StrongAuthenticationRequirements.State reports as Enforced

Scenario account MFA status is MFA Enabled:
- User is first time SSPR enabled
- User completes registration on web based modern auth app
- User is listed as SSPR Registered
- After this Helpdesk enable MFA for the user
- User next login is prompted for MFA code
- Powershell $user.StrongAuthenticationRequirements.State reports as Enabled
I think this is because of apppassword missing but I am unable to produce one from MyAccount, the only options showing are phones...
M



1 Vote 1 ·