Azure MFA not working when activating an Azure AD Role with MFA setting enabled

Allan J. Dela Pena 26 Reputation points
2020-08-11T14:48:11.667+00:00

Hi All,

I'm trying to configure Azure AD role with MFA enabled when a user activate the role but MFA is not kicking in.

I have Conditional Access configured when users logging in to the Azure Portal and that is working as expected. So for me, MFA from the user's perspective is working just fine.

Can you please help?

Cheers,
Allanm

Microsoft Entra
0 comments
Accepted answer
  1. JamesTran-MSFT 36,606 Reputation points Microsoft Employee
    2020-08-11T22:09:44.303+00:00

    @Allan J. Dela Pena
    It sounds like you're using a PIM role when you mentioned activating an AzureAD Role. When using PIM, you can enable MFA by going to the actual role within PIM and enabling MFA on activation.

    1.AzureAD Privileged Identity Management -> AzureAD Roles -> Role settings -> Select the specific role -> Settings -> Edit
    2.From here you can require MFA "on activation"
    17018-rolemfa.jpg

    3.You can also activate roles "on active assignment", which doesn't require MFA.
    17019-activeassignment.jpg

    4.When activating a role within PIM, you will see a dialogue box on the Azure Portal prompting for additional verification/MFA.
    17025-activatemfa.jpg

    I hope this helps. Please let me know if you have any other questions.
    Thank you for your time!

    0 comments

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 18,156 Reputation points MVP
    2020-08-11T15:42:35.197+00:00

    Have you set it correct? Select Use policy immediately under Enable policy option and Save to apply settings.
    17032-mfa6.png

    0 comments
  2. Allan J. Dela Pena 26 Reputation points
    2020-08-11T16:43:20.913+00:00

    Hi ManuPhilip,

    I have my custom MFA Policy(the only policy actually) which works just fine. I don't have any of the baseline policies.

    17074-mfa-ca.png

    Cheers,
    Allan

    0 comments
  3. Manu Philip 18,156 Reputation points MVP
    2020-08-11T18:01:30.767+00:00

    I think you probably want the advanced controls that Azure Active Directory Conditional Access for administrators to perform multi-factor authentication
    Reference: concept-fundamentals-security-defaults

    0 comments
  4. Allan J. Dela Pena 26 Reputation points
    2020-08-11T18:07:28.447+00:00

    I'm not using the security defaults, if that's what you're referring to. I have that option disabled. See below:

    16937-image.png

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.