question

TimRichards-5402 avatar image
0 Votes"
TimRichards-5402 asked ·

User getting MFA prompt even when MFA status set to disabled and no conditional access

Hello there
Hoping someone can help. We have been introducing MFA to our company by changing MFA status to Enabled and getting them to configure it using the ms authenticator app and the QR code.
That has been going well but the other day we had a user who all of a sudden stopped getting the 'Approve' button. We tried to new authenticator account using a new QR code but it kept failing saying it had already been used.
We disabled his MFA, deleted all existing app passwords and went in to azure ad, found the user and clicked 'revoke MFA sessions. After that we left it overnight, re-enabled his MFA hoping he would get the 'more information' window so he could reconfigure MFA however he actually got a window showing his email address, 'Enter Code' we've texted your phone and a 'verify' button.
what I don't understand is we changed his MFA to Enabled a min or so before so MA hadn't even been configured.
any help would be really appreciated

azure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@TimRichards-5402 Could you please run Get-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com | select strongauthentication* and confirm if StrongAuthenticationMethods attribute is empty or not. If this attribute has some value, that means there are one or more methods stored for user account to perform MFA.

To clear the StrongAuthenticationMethods attribute use below cmdlet:

Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @()

Once the above cmd is executed successfully, go to https;//aka.ms/mfasetup and sign-in with that user account. User will get "More information required" page and he can set MFA for his account.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TimRichards-5402
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?


If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·
michev avatar image
1 Vote"
michev answered ·
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

timrichards-9940 avatar image
0 Votes"
timrichards-9940 answered ·

Hi James and Amanpreet

Amanpreet - that worked a treet, I have a follow up question.

during our project to get users configured in Azure MFA we have gone in to the o365 admin center - users - active users - multifactor authentication, finding the user and enabling MFA so they get the 'more information' screen to setup their ms authenticator app so their mfa status shows as 'enforced'.

some users didn't go through that process instead went to aka.ms/mfasetup. After they configure MFA their user account in the o365 admin center - users - active users - multifactor authentication still shows them as 'disabled'. Our issue is that we something have to remove their MFA (ie disable) but are unable to as their status is already 'disabled'.

will running the powershell command you listed above do the same thing as disabling their MFA in o365 admin center - users - active users - multifactor authentication? if not, is there another way we can disable MFA in this situation?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.