Home > Blockchain >  Azure AD MFA is not deterministic
Azure AD MFA is not deterministic

Time:03-18

I am using Azure services and Azure AD Free (my personal account). I have setup a tenant and I am Global Admin. I have enabled Security Default in the tenant. Hence, I assume MFA is enabled for all the tenant's users. When I signin to Azure Portal with Global Admin sometime I get not prompted for MFA; maybe is this because the browser send a cookie? Or maybe because MFA is not always triggered? Also, if I open an incognito window I get prompted for a code, received via email. My question here is why email? As per MFA AAD 1

To remove all those sessions, enable “Revoke MFA sessions” which clears all remembered sessions history and asks for second verification.

2

As you already mentioned, MFA code won’t be sent via email.

From this Microsoft Doc,

Email address is only used for Self-Service Password Reset (SSPR) not for authentication.

There is also a possibility where your password is expired and it’s sending you a code to your email to reset it as you have given it as recovery option.

NOTE:

As you are enabling Security Defaults, please note that you won't be getting MFA prompts every time. Azure AD decides when a user will be prompted for MFA, based on factors such as location, device, role and task.

For suppose, if you are accessing from different location and seemed suspicious means, definitely you will get prompt otherwise you won't. If you need MFA prompts in particular, make use of Conditional access policies that need Azure AD Premium licenses.

  • Related