User getting MFA prompt even when MFA status set to disabled and no conditional access

Tim Richards 1 Reputation point
2020-08-20T01:54:59.567+00:00

Hello there
Hoping someone can help. We have been introducing MFA to our company by changing MFA status to Enabled and getting them to configure it using the ms authenticator app and the QR code.
That has been going well but the other day we had a user who all of a sudden stopped getting the 'Approve' button. We tried to new authenticator account using a new QR code but it kept failing saying it had already been used.
We disabled his MFA, deleted all existing app passwords and went in to azure ad, found the user and clicked 'revoke MFA sessions. After that we left it overnight, re-enabled his MFA hoping he would get the 'more information' window so he could reconfigure MFA however he actually got a window showing his email address, 'Enter Code' we've texted your phone and a 'verify' button.
what I don't understand is we changed his MFA to Enabled a min or so before so MA hadn't even been configured.
any help would be really appreciated

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,467 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-08-20T04:29:35.84+00:00

    @Tim Richards Could you please run Get-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com | select strongauthentication* and confirm if StrongAuthenticationMethods attribute is empty or not. If this attribute has some value, that means there are one or more methods stored for user account to perform MFA.

    To clear the StrongAuthenticationMethods attribute use below cmdlet:

    Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @()

    Once the above cmd is executed successfully, go to https;//aka.ms/mfasetup and sign-in with that user account. User will get "More information required" page and he can set MFA for his account.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
  2. Vasil Michev 95,341 Reputation points MVP
    2020-08-20T07:35:30.84+00:00
    1 person found this answer helpful.
    0 comments
  3. tim richards 1 Reputation point
    2021-03-05T01:20:44.357+00:00

    Hi James and Amanpreet

    Amanpreet - that worked a treet, I have a follow up question.

    during our project to get users configured in Azure MFA we have gone in to the o365 admin center - users - active users - multifactor authentication, finding the user and enabling MFA so they get the 'more information' screen to setup their ms authenticator app so their mfa status shows as 'enforced'.

    some users didn't go through that process instead went to aka.ms/mfasetup. After they configure MFA their user account in the o365 admin center - users - active users - multifactor authentication still shows them as 'disabled'. Our issue is that we something have to remove their MFA (ie disable) but are unable to as their status is already 'disabled'.

    will running the powershell command you listed above do the same thing as disabling their MFA in o365 admin center - users - active users - multifactor authentication? if not, is there another way we can disable MFA in this situation?

    0 comments