Azure MFA not working when activating an Azure AD Role with MFA setting enabled

Allan J. Dela Pena 26 Reputation points
2020-08-11T14:48:11.667+00:00

Hi All,

I'm trying to configure Azure AD role with MFA enabled when a user activate the role but MFA is not kicking in.

I have Conditional Access configured when users logging in to the Azure Portal and that is working as expected. So for me, MFA from the user's perspective is working just fine.

Can you please help?

Cheers,
Allanm

Microsoft Entra
0 comments
Accepted answer
  1. JamesTran-MSFT 36,636 Reputation points Microsoft Employee
    2020-08-11T22:09:44.303+00:00

    @Allan J. Dela Pena
    It sounds like you're using a PIM role when you mentioned activating an AzureAD Role. When using PIM, you can enable MFA by going to the actual role within PIM and enabling MFA on activation.

    1.AzureAD Privileged Identity Management -> AzureAD Roles -> Role settings -> Select the specific role -> Settings -> Edit
    2.From here you can require MFA "on activation"
    17018-rolemfa.jpg

    3.You can also activate roles "on active assignment", which doesn't require MFA.
    17019-activeassignment.jpg

    4.When activating a role within PIM, you will see a dialogue box on the Azure Portal prompting for additional verification/MFA.
    17025-activatemfa.jpg

    I hope this helps. Please let me know if you have any other questions.
    Thank you for your time!

    0 comments

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Allan J. Dela Pena 26 Reputation points
    2020-08-12T14:12:10.77+00:00

    @JamesTran-MSFT

    That's exactly my issue :-) I am not getting that "additional verification required..." even though I have set it to enforce MFA on activation.

    17176-image.png

    I noticed that you're using "jatran-CustomRole", will it also work with the Azure AD Built-In roles such as User Administrator?

    Please advise.

    Cheers,
    Allan

    0 comments
  2. Allan J. Dela Pena 26 Reputation points
    2020-08-12T14:28:19.19+00:00

    @JamesTran-MSFT

    Something caught my eye with this highlighted statement:

    17261-image.png

    ok, we might probably narrowed it down as to how long is the session.

    Apologies, I should have indicated the actual steps at the beginning :-(. So here they are:

    1. Login to Azure Portal - CA Policy "MFA for All Users" kicked in - so I'm getting the MFA Prompt upon login (is this the session that's being considered as first session - https://video2.skills-academy.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role?tabs=new#activate-a-role)
    2. Go to PIM ==> Azure AD Roles ==> My roles ==> Activate

    17224-image.png

    Can you please confirm that the reason why I'm not getting prompted again for MFA is because it's considered as the same session? If it is, how can I adjust this setting, if possible?

    Cheers,
    Allan

  3. Allan J. Dela Pena 26 Reputation points
    2020-08-12T14:41:16.21+00:00

    I just confirmed it.

    1. Disable CA Policy "MFA for All users"
    2. Go to PIM ==> Azure AD Roles ==> My roles ==> Activate then I get the MFA Prompt:

    17195-image.png

    My question still stands, how can I change the default session time for MFA?

    Thank you all for the assistance!

    Cheers,
    Allan

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.