Share via

Conditional Access MFA policy not triggering for some users

Idris 0 Reputation points
2025-11-12T06:45:06.4766667+00:00

I’ve set up a Conditional Access policy in Entra ID to enforce MFA for all users in a specific group. The policy is enabled and the group assignments look correct, but a few users in that same group aren’t being prompted for MFA when they sign in.

I’ve already verified that the policy is set to “On” and applies to “All cloud apps.” There are no exclusions configured for these users.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-12T06:45:45.1333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    There are several reasons why some users in a Conditional Access policy may not be prompted for multifactor authentication (MFA) even if they are part of the targeted group. Here are some troubleshooting steps you can consider:

    1. User State: Ensure that the users who are not being prompted for MFA do not have any existing sessions that might bypass the MFA requirement. If they have already authenticated recently, they may not be prompted again until their session expires.
    2. Device Compliance: Check if the users' devices are compliant with your organization’s Intune compliance policies. If the policy requires devices to be marked as compliant, non-compliant devices will not trigger MFA.
    3. Sign-in Method: Verify the sign-in method used by these users. If they are using external authentication methods that are incompatible with the authentication strength, this could prevent the MFA prompt.
    4. Policy Conflicts: Ensure that there are no other Conditional Access policies that might conflict with the MFA policy. If there are multiple policies, the most restrictive one will apply, and it may inadvertently exclude MFA for certain users.
    5. Policy Scope: Double-check the policy settings to confirm that the policy is indeed set to apply to all users in the specified group without exclusions. Sometimes, a misconfiguration in the group settings can lead to unexpected behavior.
    6. User Roles: If the users have specific roles that might exempt them from MFA, ensure that the Conditional Access policy is correctly configured to include all necessary roles.

    If the issue persists after checking these factors, you may want to review the sign-in logs in the Microsoft Entra admin center for any errors or messages related to the users' sign-in attempts.

    References:

    0 comments
  2. SUNOJ KUMAR YELURU 16,776 Reputation points MVP Volunteer Moderator
    2025-11-12T07:06:20.9166667+00:00

    Hello @Idris

    To troubleshoot why Conditional Access MFA isn't triggering for specific users:

    First, analyze Entra ID Sign-in Logs for policy application details.

    Second, check for conflicting policies granting access without MFA. Third, verify user MFA registration, licensing, and block legacy authentication. Finally, clear browser cache or wait for Entra ID replication.

    The most likely causes are legacy authentication usage, conflicting policies, or unmet policy conditions during sign-in.

    If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

    0 comments
  3. VEMULA SRISAI 2,040 Reputation points Microsoft External Staff Moderator
    2025-11-12T12:48:04.27+00:00

    Hello Idris ,

    Based on your description, the Conditional Access MFA policy is enabled and correctly assigned, but some users are not being prompted for MFA. This typically happens when the policy is not applied during sign-in or MFA is already satisfied by another mechanism. please Check Sign-In Logs

    • Go to Microsoft Entra admin center → Monitoring → Sign-in logs.
    • Select an affected user’s recent sign-in.
    • Under Authentication Details → Conditional Access, verify:
      • Was the policy evaluated?
      • If Not Applied, note the reason (e.g., “User excluded,” “Other policy satisfied MFA”

    Please try the following common fixes to ensure your Conditional Access MFA policy works as expected:

    1. Disable legacy MFA settings
      • In the classic MFA portal, make sure per-user MFA is Disabled. Conditional Access should control MFA, not legacy settings.
    2. Disable Security Defaults (if enabled)
      • Go to Microsoft Entra admin center → Properties → Manage Security Defaults → Disable.
    3. Check trusted locations
      • If your policy excludes trusted IPs or named locations, users signing in from those locations will not be prompted for MFA.
    4. Revoke sessions
      • Navigate to Users → Select the affected user → Revoke sessions to force re-authentication.
    5. Test in Incognito/Private mode
      • This ensures cached tokens do not bypass MFA prompts.

    After applying these steps, ask the user to sign in again and confirm if MFA is triggered. If the issue persists, please share the Conditional Access evaluation result from the Sign-in logs for further analysis.

    For your reference:

    Kindly let us know if the above comment helps or you need further assistance on this issue.

    Please "upvote" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.