question

MiguelAngel-0220 avatar image
0 Votes"
MiguelAngel-0220 asked ·

Avoid switching to Enforced after enrolling

Hello

We are starting to use MFA in our company, but we do not want to use Enforced method, only the Enabled. I understand that after the registration users switch to Enforced, but how can i avoid that? Even if i register the phone for them before their first time login it will do the registration and it switch to enforced.


Please provide a little guidance.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KAREDD-MSFT avatar image
0 Votes"
KAREDD-MSFT answered ·

Hi,

I am afraid it's not feasible to get MFA to work in just enabled mode. However, We recommend using Conditional Access policies to trigger MFA.

With CA policies, you can control in which scenario, the user should be prompted for MFA and users will be prompted accordingly. I would recommend going through this doc to understand more about CA policy and how to create them.


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MiguelAngel-0220 avatar image
0 Votes"
MiguelAngel-0220 answered ·

I guess then i did the incorrect question, is the Enforced Method the one that is forcing the apps to have a custom password? Because that is what we do not want to use in particular, we want to keep using the Domain password of the user account

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Miguel.

That is something different. Basically enabled and enforced are the same options - the only difference is the very next authentication behavior - in enabled state, user is requested to add/validate authentication information during the very next web browser authentication. After that, user is always required to use MFA during authentication, which is the behavior of enforced mode.

So the enforced means that user is always prompted for MFA during authentication. It means that all apps must use modern authentication, which is the way how users authenticate in a web browser or Office apps (not just a dialog for username and password, but rendered HTML authentication dialog that supports the "modern authentication" which is required to be able to pass MFA).

So if you use apps that don't support modern authentication, you have to use app passwords anyway. If you have only apps that support modern authentication, you don't need to worry about the enforced state.

0 Votes 0 · ·