Normal User MFA Behavior of Azure AD Security Default

1 year ago
Ruian Ding
2 minutes

Issue Description:

Customer reported he encountered an issue related to user authentication and multi-factor authentication (MFA) settings. There is a regular user and does not have any administrative privileges. The problem we faced was with the behavior of Security Defaults, which is designed to prompt normal users for MFA only when necessary.

Issue Analysis:

Upon reviewing the sign-in logs during the provided timestamps, we found that the user accessed the office.com application from an Australian IP address. Since this login attempt did not raise any notable risk flags, Microsoft Azure did not consider it necessary to challenge the user for MFA.

Issue Explanation:

Security Defaults is designed to enhance security by requiring MFA only when specific conditions are met. Lower risk users may not be prompted for MFA if their login attempts are not deemed notable by Microsoft. This behavior aims to balance security with usability. However, if we require more control over MFA settings, we have a few options available:

  1. Per-user MFA: Assigning administrative privileges to the user would allow us to utilize per-user MFA. This means we can individually configure MFA settings for specific users, providing more granular control.
  2. Elevate users to higher risk category: By granting admin access to users, we can elevate their risk category, triggering MFA requirements as per our desired level of security.
  3. Upgrade licenses for conditional access: Another option is to upgrade licenses to enable conditional access. This allows us to set specific conditions for requiring MFA, giving us more flexibility in enforcing MFA for different scenarios.

Further Action:

To prevent similar occurrences in the future, we suggest the following actions:

  1. Assign administrative privileges to the user, which will grant us the ability to configure per-user MFA settings while keeping the Security Defaults in place.
  2. Alternatively, we can implement the second method, which apply the MFA to the user by per-user MFA or CA policy (Azure Premium license required). In this time, it can maintain the user’s normal properties.

By implementing either of these approaches, we can ensure that MFA is appropriately enforced for the user while maintaining a balance between security and user experience.

Reference: Providing a default level of security in Azure Active Directory – Microsoft Entra | Microsoft Learn