When conditional access policies are set up so that Azure Multi-Factor Authentication is expected to be enforced, some users aren't prompted to verify their identities through a second verification method. This issue may occur in the following scenarios:
- Scenario 1: Multi-factor authentication is suspended on a remembered device
In this scenario, an admin sets up trusted networks for multi-factor authentication and enables the Allow users to suspend multi-factor authentication by causing a device to be remembered option.
- Scenario 2: The user is a member of the exception group
In this scenario, the user is a member of an exception group for the app. When an admin sets up multi-factor authentication access policies for an app, an admin can select the Except box to set up groups as exceptions.
Scenario 1: Multi-Factor authentication is suspended on a remembered deviceTo troubleshoot, follow these steps:
- Confirm that the Allow users to suspend multi-factor authentication option is enabled.
- If the option is enabled, have the user try one or more of the following:
- Delete browser cookies.
- Use a different browser.
- Use an InPrivate browsing session.
Scenario 2: The user is a member of the exception groupTo troubleshoot, try one or more of the following:
- Remove the user from the exception group.
- Remove the group from the list of exception groups.
Scenario 1: Multi-factor authentication is suspended on a remembered deviceThis option lets users who have successfully authenticated through multi-factor authentication avoid future multi-factor authentication prompts for the next 1–60 days, depending on the value that's configured in the Days before a device must re-authenticate setting.
This is true even if the app is set to Require multi-factor authentication,Require multi-factor authentication when not at work, or Block access when not at work, and the user's device isn't on a trusted network.
For more information, see Suspend Multi-Factor Authentication for remembered devices and browsers (Public Preview).
Scenario 2: The user is a member of the exception groupFor users who are members of the exception group, the requirement for multi-factor authentication on the user account is overridden.
Still need help? Go to Microsoft Community or the Azure Active Directory Forumswebsite.
Article ID: 3124671 - Last Review: Dec 29, 2016 - Revision: 1