question

russellr avatar image
0 Votes"
russellr asked ·

Azure MFA/ADFS - one user requiring MFA even when its disabled

We initially enabled Azure MFA but then disabled it due to issues.

We have one user on our Office 365 account who is still prompted for the “more information required” page when logging in. The ultimate error is “An error occurred. No valid strong authentication method found. Contact your administrator to configure and enable appropriate strong authentication provider.”

MFA is disabled for the user and disabled for the tenant (Enable security defaults is set to No).

The Event log on the ADFS server is Event 364, AD FS –

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.Web.NoValidStrongAuthenticationMethodException: No strong authentication method found for the request from urn:federation:MicrosoftOnline.
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

The problem user account doesn’t appear to be any different from others that don’t have any issues logging in.

Does anyone any ideas where I look to resolve this?

Thanks

Russell



azure-active-directoryadfsazure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ManuPhilip avatar image
0 Votes"
ManuPhilip answered ·

Hello @Russel,
Looks like you have set Security defaults to apply to your Azure AD and can be disabled as below:

Azure Active Directory > Properties> Manage security defaults at the bottom of the page >set Enable security defaults to No


Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

Thanks for the reply.

As mentioned in my original post, I already have this set to no.

"MFA is disabled for the user and disabled for the tenant (Enable security defaults is set to No)"

Thanks

Russell

0 Votes 0 · ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

Hi @northport,

Looking at the error, there seems to be some Access Control Policy applied to Microsoft Office 365 Relying party that requires MFA to be performed and since MFA is disabled, authentication is failing at second factor.

On ADFS, global authentication method can also be configured to require MFA but as one user is getting this error I am suspecting it is not configured at global level but by specific Access Control Policy on the O365 RP.

Please check the access control policies on the O365 Relying party on ADFS Server and remove any policy that requires MFA to be performed. For more details on access control policies in ADFS, please refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs.


Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

Thanks for the reply.

I've checked the Relying Party Trusts and the attached Access control policy. The only policy In Use is the "Permit Everyone" policy.

The Relying Party Trusts has what I believe would be the standard Office 365 configuration.

Is there something more specific i could check to see why this one user isn't working?

Thanks again

Russell

0 Votes 0 · ·
LarryAlexander-1838 avatar image
0 Votes"
LarryAlexander-1838 answered ·

Hi Russell,

Out of curiosity, have you checked via powershell (as administrator) for additional authentication rules:

$ThisRPT="{Your RPT}"
(Get-AdfsRelyingPartyTrust -Name $ThisRPT).AdditionalAuthenticationRules

Using an Access Control Policy should mean that there are no Additional Authentication Rules, but best to be sure as these do not show in the ADFS gui screens.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.