Some users who are enabled for Azure Multi-Factor Authentication aren't prompted for a second verification method

PROBLEM

When conditional access policies are set up so that Azure Multi-Factor Authentication is expected to be enforced, some users aren't prompted to verify their identities through a second verification method. This issue may occur in the following scenarios:
  • Scenario 1: Multi-factor authentication is suspended on a remembered device

    In this scenario, an admin sets up trusted networks for multi-factor authentication and enables the Allow users to suspend multi-factor authentication by causing a device to be remembered option.
  • Scenario 2: The user is a member of the exception group

    In this scenario, the user is a member of an exception group for the app. When an admin sets up multi-factor authentication access policies for an app, an admin can select the Except box to set up groups as exceptions.
Even though the settings in these scenarios are configured, you expect users to be prompted for the second verification method because of the conditional access policies that you applied. 

SOLUTION

Scenario 1: Multi-Factor authentication is suspended on a remembered device

To troubleshoot, follow these steps:
  1. Confirm that the Allow users to suspend multi-factor authentication option is enabled.
  2. If the option is enabled, have the user try one or more of the following:
    • Delete browser cookies.
    • Use a different browser.
    • Use an InPrivate browsing session.

Scenario 2: The user is a member of the exception group

To troubleshoot, try one or more of the following:
  • Remove the user from the exception group.
  • Remove the group from the list of exception groups.

MORE INFORMATION

Scenario 1: Multi-factor authentication is suspended on a remembered device

This option lets users who have successfully authenticated through multi-factor authentication avoid future multi-factor authentication prompts for the next 1–60 days, depending on the value that's configured in the Days before a device must re-authenticate setting.

This is true even if the app is set to Require multi-factor authentication,Require multi-factor authentication when not at work, or Block access when not at work, and the user's device isn't on a trusted network.

For more information, see Suspend Multi-Factor Authentication for remembered devices and browsers (Public Preview).

Scenario 2: The user is a member of the exception group

For users who are members of the exception group, the requirement for multi-factor authentication on the user account is overridden. 

Still need help? Go to Microsoft Community or the Azure Active Directory Forumswebsite.
属性

文章 ID:3124671 - 上次审阅时间:2016年12月29日 - 修订版本: 1

Office 365, Microsoft Azure Active Directory, Microsoft Azure Cloud Services, Microsoft Intune

反馈