Some users who are enabled for Azure Multi-Factor Authentication aren't prompted for a second verification method

PROBLEM
When conditional access policies are set up so that Azure Multi-Factor Authentication is expected to be enforced, some users aren't prompted to verify their identities through a second verification method. This issue may occur in the following scenarios:
  • Scenario 1: Multi-factor authentication is suspended on a remembered device

    In this scenario, an admin sets up trusted networks for multi-factor authentication and enables the Allow users to suspend multi-factor authentication by causing a device to be remembered option.
  • Scenario 2: The user is a member of the exception group

    In this scenario, the user is a member of an exception group for the app. When an admin sets up multi-factor authentication access policies for an app, an admin can select the Except box to set up groups as exceptions.
Even though the settings in these scenarios are configured, you expect users to be prompted for the second verification method because of the conditional access policies that you applied. 
SOLUTION

Scenario 1: Multi-Factor authentication is suspended on a remembered device

To troubleshoot, follow these steps:
  1. Confirm that the Allow users to suspend multi-factor authentication option is enabled.
  2. If the option is enabled, have the user try one or more of the following:
    • Delete browser cookies.
    • Use a different browser.
    • Use an InPrivate browsing session.

Scenario 2: The user is a member of the exception group

To troubleshoot, try one or more of the following:
  • Remove the user from the exception group.
  • Remove the group from the list of exception groups.
MORE INFORMATION

Scenario 1: Multi-factor authentication is suspended on a remembered device

This option lets users who have successfully authenticated through multi-factor authentication avoid future multi-factor authentication prompts for the next 1–60 days, depending on the value that's configured in the Days before a device must re-authenticate setting.

This is true even if the app is set to Require multi-factor authentication,Require multi-factor authentication when not at work, or Block access when not at work, and the user's device isn't on a trusted network.

For more information, see Suspend Multi-Factor Authentication for remembered devices and browsers (Public Preview).

Scenario 2: The user is a member of the exception group

For users who are members of the exception group, the requirement for multi-factor authentication on the user account is overridden. 

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 3124671 - Last Review: 12/30/2015 19:38:00 - Revision: 2.0

Microsoft Office 365, Microsoft Azure Active Directory, Microsoft Azure Cloud Services, Microsoft Intune

  • o365022013 o365 o365e o365m o365a KB3124671
Feedback