Link to home
Create AccountLog in
Avatar of nigelbeatson
nigelbeatsonFlag for United Kingdom of Great Britain and Northern Ireland

asked on

2 users (only) do not receive microsoft mfa challenge?

we have 3 current microsoft 365 users that get the mfa challenge when logging in. we have a couple that do not. I note that the default security settings are set to on.

I have just been through the adding of microsoft authenticator to the 2 without mfa and completed the check provided during the process, which worked fine. however, whenever the try to login to the outlook.portal.com cloud access to email or use outlook, they still do not receive the mfa challenge.

can anyone advise what we need to check to get this working?

many thsnks
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Being registered for MFA doesn't mean you will be prompted for it, at least not on every login. There can be a variety of reasons why users are being prompted, depending on the set of features/licenses within your tenant. If you do want users to be prompted every time, you can configure the per-user MFA control to "enforced": https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

Avatar of nigelbeatson

ASKER

Thankyou. I don’t particularly want the mfa challenge at every login, but when I log in as one of the problem users from my office, there is no challenge. I did not think that was normal? 


As I said the initial config went through ok, but I just wanted to be sure its setup correctly as I am due to go away for 2 weeks, which is when the enforcement was set to be activated. Don’t want any problems while I am away.


Any advice appreciated.


Thanks

ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer

Many thanks. 


I will try the link provided.


I have just been contacted by one of the users that was working ok and he gets the mfa challenge on his pc, but now the authenticator does not pop up on his phone.


Is there a routine where I can check the settings for each user and is there anything that controls the notification popping up on the mobile app?


Many thanks

Hello, if you have Azure AD, you can access more detailed controls by navigating to entra.microsoft.com and selecting the "identity" tab, then go to "Users" and click on "All Users." Locate the user you're investigating and click on their name. On the left side under "Manage," open the "Authentication methods" section to view the devices registered for that user, which can aid in troubleshooting. At the top of that page, you should find an option to "View Authentication methods policy." Click on that link, and next to the Microsoft Authenticator method, you can access the settings configured for that specific authentication method.


Notifications are controlled on the mobile device side, make sure they're turned on therein and also check "battery optimization" or similar settings that allow the app to run in the background. In any case, the user can always open Authenticator manually and refresh therein.

my Entra admin seems to be different to the steps you suggest??
can't see a view option or anything to do with authenticator??

Here is a collage of pictures that follow along with the steps I provided earlier. The experts here will be able to help further with troubleshooting your problem.  I'm not sure what the differences could be between our portals...Possibly licensing.
User generated image


Very helpful thankyou 😊👍