question

CurtisKobelsky-8197 avatar image
1 Vote"
CurtisKobelsky-8197 asked NormanJ-8524 edited

M365 not prompting for MFA after enabling Security Defaults in Azure AD

Recently for a client of mine I enabled Security Defaults in Azure AD to help secure the accounts with MFA (primarily in Microsoft 365). Unfortunately it seems that even though Security Defaults is enabled it isn't applying to people when they login to Microsoft 365, it just lets them in without needing to do MFA. If they login to the Azure portal they do get the MFA prompt which is what I would expect. I should note that I am logging in with a new "guest" browser session each time, which should prompt me for MFA no matter what since it should be classified as a "new" device.

I was sure this was working before in my tenant, but when I tested it out I get the same behavior (no MFA prompt in M365, MFA prompt in Azure Portal). Am I completely crazy or did something change in the last year with respect to Security Defaults where it no longer applies to Microsoft 365 logins anymore?

azure-ad-multi-factor-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There is this tidbit at https://docs.microsoft.com/en-au/azure/active-directory/fundamentals/concept-fundamentals-security-defaults:

One common method to improve protection for all users is to require a stronger form of account verification, such as Multi-Factor Authentication, for everyone. After users complete Multi-Factor Authentication registration, they'll be prompted for additional authentication whenever necessary. Users will be prompted primarily when they authenticate using a new device or application, or when performing critical roles and tasks. This functionality protects all applications registered with Azure AD including SaaS applications.

Using a guest or incognito/inprivate session is basically a new device, which I would think should prompt for MFA on login. Has anyone else experienced or tested this out lately? I have a ticket with Microsoft open, but frankly it has been a rather painful experience and isn't going much of anywhere quickly...

0 Votes 0 ·
NormanJ-8524 avatar image
1 Vote"
NormanJ-8524 answered

Hi @CurtisKobelsky-8197

did you get any response from Microsoft for this case?
I have the same behaviour for one of our small clients without AD P Licenses.

We activated security defaults and users must register theit Microsoft Authenticator.
But if they log in from home or with another pc (I tested with credentials of one user on my pc with different public ip) they don´t get asked to perform MFA, but they log in without MFA..

Any ideas?

Regards,
Norman

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesJenkinsDigital avatar image
1 Vote"
JamesJenkinsDigital answered CurtisKobelsky-8197 commented

Hi Curtis,

I'm assuming that you've gone to Azure AD > Properties > Manage Security Defaults > Enable?

More information can be found here: https://docs.microsoft.com/en-au/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

My only other suggestion would be testing on both a domain joined device and a personal (non-joined) device.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JamesJenkins-5590
Yes, that's all I did (which is all you need to do). I realize that once you have a device/browser recognized by M365 you may not get a prompt, but since I'm using a guest browser session that shouldn't enter into the picture (used incognitio/inprivate mode as well, same thing)

0 Votes 0 ·
NormanJ-8524 avatar image
0 Votes"
NormanJ-8524 answered NormanJ-8524 edited

Hi @GavinPitt-3436,

I found out that is by design..
Security Defaults ask MFA for (not administrator) users only WHEN NECESSARY.. No Idea how the AI from Microsoft decides if it is necessary to confirm MFA or not..
see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Here a good article I have found on internet:
https://diligex.com/2021/01/are-microsoft-365-azure-security-defaults-sufficient/

I hope this will help.

We are going to enable "Per-User MFA" in addition to "Security Defaults". This way it is less confusing and people get asked after configured days and new devices again.

Regards,
Norman

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GavinPitt-3436 avatar image
0 Votes"
GavinPitt-3436 answered

Anyone else having any luck getting this resolved as I am having exactly the same problem and it is extremely concerning.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.