question

pmartynas-9319 avatar image
0 Votes"
pmartynas-9319 asked amanpreetsingh-msft commented

Disabling MFA for global admin

Hi,

Got a strange problem, I'm a global admin for my small company Office365 (we use only business basic/standard licences) - though I'm not tech pro, just the most tech-savvy person in the office, so pls bear with me.

Sometime ago I turned on MFA via Authenticator app (can't remember exactly where) solely for my account, recently my Authenticator app on the phone was deleted and after restoring it from back up, it asks to resetup MFA code for my company account.

When I go to https://myaccount.microsoft.com/ - ADDITIONAL SECURITY VERIFICATION - it asks me to login with with MFA. I get only two options: via app notification or app generated code, obviously I can't provide any of them, because the Authenticator app asks to resetup MFA. There are no sms/call options and I can't proceed further.

However, I can freely login on O365 admin center, company's Azure Active Directory, my email account, etc. - it only asks for password, no MFA.

On O365 admin center, it says that MFA is disabled
14271-mfa.png


On Azure AD, I can't do any changes in regards with MFA as we don't have it enabled for all organization

14272-mfa1.png

But when I check my account via Powershell, using cmd Get-MsolUser -UserPrincipalName xx@domain.com | FL it shows that strong authentication is required for this account. the suggested script I found here didn't change anything

$AzureMFA=@()
Set-MsolUser -UserPrincipalName "xxx" -StrongAuthenticationMethods $AzureMF

14020-mfa2.png

and there are no conditional access policies turned on

14273-mfa3.png

what are my options?




azure-ad-multi-factor-authentication
mfa.png (17.2 KiB)
mfa1.png (38.7 KiB)
mfa2.png (8.7 KiB)
mfa3.png (30.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @pmartynas-9319 Thanks for your response. These endpoints are by default secured with MFA and you will always be prompted for proofup (2nd factor) if you try to set ADDITIONAL SECURITY VERIFICATION via https://myaccount.microsoft.com/?ref=MeControl or https://aka.ms/mfasetup, even when MFA is not enforced on the user account. This behavior can NOT be changed.

This is to prevent any malicious user from setting his phone number to be used as second factor of authentication if he somehow managed to get access to a user account with first factor of authentication.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft so I should simply ignore that I have MFA activated somewhere and there is no way to reset current situation? Because I fear I might get locked out from smth that I haven't still discovered in the future.

0 Votes 0 ·

@pmartynas-9319 MFA for these specific endpoints is enabled for every user in every tenant on azure. You should ignore it as it will only be triggered if you would want to change your additional authentication method and won't lock you out until and unless you have the ability to login to Azure Portal. You just need to be careful while enforcing MFA via CA Policy and recommendation is to exclude at least one account, if you are applying policy on All Apps.

1 Vote 1 ·
ShivaBezwadaJCS-8240 avatar image
1 Vote"
ShivaBezwadaJCS-8240 answered pmartynas-9319 commented

Could you do me a favor and double check if you have Security Defaults turned on? In the Azure AD portal, go to properties, and at the bottom click "Manage Security Defaults"

If it is set to on, that will set the same policy as Require MFA for Admins by default. If that is off, then we can try another solution!
14331-ad1.png

14170-ad2.png



ad1.png (75.6 KiB)
ad2.png (15.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered pmartynas-9319 commented

Hello @pmartynas-9319

Below are the features that can be used to trigger MFA for a user account. You have already checked 3 & 4. Kindly check 1 & 2 as well.

  1. Per user MFA: Azure Portal > Azure AD > Users > All Users > Multi-Factor Authentication

  2. MFA for Risky Sign-ins: Azure AD Identity Protection > Sign Risk Policy > Control > Require multi-factor authentication.

  3. Conditional Access Policy

  4. Security Defaults

If you couldn't to identify what is triggering MFA, please share the correlation ID. I will try to track that to figure out what is triggering MFA.

In order to get the correlation ID, do not respond to MFA challenge and wait for the failure to occur. On the error screen, click on More Information and find the correlation ID. Please refer to below screenshot:

14469-image.png


Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.





image.png (29.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey,

  1. Per user MFA: it shows as disabled for all users, incl. mine.

  2. MFA for Risky Sign-ins: can't change anything here, so I guess it is off too - see screenshot


14477-mfa4.png




And here is correlation ID:

Error Code: 500121
Request Id: 7bbba0f9-4065-4c1c-aa88-734e73113500
Correlation Id: 0818fd5c-40fb-4805-b66c-0f561c7998bc
Timestamp: 2020-07-30T07:55:33Z

0 Votes 0 ·
mfa4.png (40.8 KiB)
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered pmartynas-9319 commented

@pmartynas-9319 Thank you for sharing the details. I tracked the request and found that MFA is explicitly enforced by the client application 'Microsoft App Access Panel'. Could you please confirm below information:

  • Are you getting MFA prompt only when you access Microsoft App Access Panel? Or you get MFA prompt while accessing Azure portal/Office365 portal/Exchange Online as well?

  • If you are getting MFA prompt only for Microsoft App Access Panel, are you using any custom link to access that? If yes, please share the link.

It would be helpful if you can share a fiddler capture. Please follow below instructions to capture a fiddler trace:
Setup:
• Download and install Fiddler from here: https://www.telerik.com/fiddler
• Follow these instructions to enable HTTPS capture: https://docs.telerik.com/fiddler/configure-fiddler/tasks/DecryptHTTPS (do step 1 and 2)
To get traces:
• Start fiddler (it will start capturing)
• Repro the issue.
• Stop fiddler capturing by hitting the F12 key.
• Save all sessions in .saz file and send via email to azcommunity[at]microsoft[dot]com with subject "Redirect to Amanpreet". I will analyze the capture and let you know.
Note: Fiddler may have credentials in plain text, So, I would suggest you to reset the password after reproducing the issue during fiddler capture.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @pmartynas-9319 Have you had a chance to capture the fiddler trace? I want to add one more point, If you access https://account.activedirectory.windowsazure.com/proofup.aspx (https://aka.ms/mfasetup) you will always be prompted for MFA regardless of whether MFA is enabled or disabled.

0 Votes 0 ·

Hey @amanpreetsingh-msft sorry for late reply.

by Microsoft App Access Panel you mean https://myapplications.microsoft.com/ ? I don't get MFA prompt here. I can access Azure portal/Office365 portal/Exchange Online w/out MFA prompt as well. Only place where I get MFA prompt is when I go to https://myaccount.microsoft.com/?ref=MeControl and click on ADDITIONAL SECURITY VERIFICATION

on your other link https://aka.ms/mfasetup I get MFA prompt as well.

Should I still do Fiddler capture? If yes, what link should I try to access?





0 Votes 0 ·