question

Ellrick-5404 avatar image
0 Votes"
Ellrick-5404 asked Ellrick-5404 commented

MFA for external web app

Hello All,

We have a number of users who's accessing the external Azure web application, each time they logging-in they have to go through the Microsoft MFA and answer a call.

When I've checked the Sign-in logs in our AAD, I can see all sign-in attempts to the external app and Authentication Requirement column says Multi-Factor Authentication.

Does the MFA in this case is enabled on the external web application? The MFA is not enabled for those users in our Azure AD.


azure-ad-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered Ellrick-5404 commented

Hi @Ellrick-5404 • Thank you for reaching out.

The most probable cause of this behavior is Conditional Access policy. In case of conditional access, you have the option to require MFA only for specific application. You can also include conditions, such as when the app is access from specific location by specific set of users. To confirm this, please check the sign-in logs to identify which conditional access policy is getting applied during that sign-in.

If you still can't identify that, kindly ask one of those users to either decline MFA call or let it time-out. Once MFA fails, you will get correlation id, request id and timestamp on the error page. Please share that information and I will try to track the source that is originating MFA for you.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft

In the AAD sign-in logs, column Conditional Access says Not Applied for the event.
I'm attaching screenshot provided by the user. Thank you.

123790-hsscreenshot.png


0 Votes 0 ·
hsscreenshot.png (46.1 KiB)

Hi @Ellrick-5404 • Thank you for your time on call. As discussed, MFA is being triggered via conditional access policy in the resource tenant. To confirm the same, please exclude one user from the policy and ask the user to access the application again. Once excluded, the user should not get MFA prompt.

1 Vote 1 ·
Ellrick-5404 avatar image Ellrick-5404 amanpreetsingh-msft ·

Hi @amanpreetsingh-msft Thank you for your help on this issue, we asked the resource tenant owner to exclude the user as per your instructions. I'll update this topic soon.

0 Votes 0 ·

Hi @amanpreetsingh-msft this is issue has been resolved, as per your instructions.

Thank you for help.

0 Votes 0 ·