Forum Discussion
Some users repeatedly prompted for MFA
All our devices are Intune joined.
MFA turned on with a conditional access policy:
- Grant Access to: Require multifactor authentication;
- Session only configured Sign in frequency: x days.
When majority users sign in apps without any issue, and only required to re authenticated with MFA after the defined x days. We have a small group of users are asked to MFA every time they opens a new app.
Intune indicates these users' computers "Compliant". However,
Entra - Monitoring - Signin logs shows:
The same monitoring for other users, Authentication Details are "previously satisfied'. For these users, even they are working on the same app on a desktop, they are still returned with "Mobile app notification" and therefore are asked to MFA:
DSREGCMD /status returns some different Diagnostic Data results to other devices without MFA issues: Last HostName Update : NONE.
*********************************************************************
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Virtual Desktop : NOT SET
Device Name : [COMPUTER_NAME]
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : [COMPUTER_ID]
Thumbprint : [COMPUTER_THUMBPRINT]
DeviceCertificateValidity : [ 2023-08-05 04:25:23.000 UTC -- 2033-08-05 04:55:23.000 UTC ]
KeyContainerId : [COMPUTER_KEYCONTAINERID]
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName : [TENANTNAME]
...
...
...
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : [...] (AzureAd)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2024-09-03 23:32:02.000 UTC
AzureAdPrtExpiryTime : 2024-09-17 23:32:01.000 UTC
AzureAdPrtAuthority : [...]
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : AzureAD\[USERNAME], [USEREMAILADDRESS]
KeySignTest : PASSED
DisplayNameUpdated : Managed by MDM
OsVersionUpdated : Managed by MDM
HostNameUpdated : YES
Last HostName Update : NONE
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
**************************************************************************
Can someone help here and shade some light on the issue.
Hi james3149 ,
experiencing the same thing, Hwayang ?
Are the working users also using Chrome? Wondering if these users with the broken experience are the only ones using Chrome and/or aren't getting all their configs successfully.
Fairly certain the issue you're experiencing may be related to these endpoints missing the Chrome CloudAPAuthEnabled setting. This setting allows identity objects and device attestation properties to pass through Chrome to be evaluated by your CAPs.
You can read more about this setting from Google Chrome, here.
How to enable it locally, here.
Finally, push this setting down to endpoints via Intune, here.
As you can see, you have options. You can push the template and configure the setting, or you can create a Remediation script that checks and sets the RegKey in the "local" instructions. If you need the remediation+detection script let me know, went that route for testing and should have the scripts somewhere.
If you give it a try I'd love to know if this helps at all.
(!) Note, you have to do this for Firefox as well if you use it in your environment: In the browser and via Intune.
Best regards,
Dylan
It is not an user related issue. I have one affected user work on to a different computer. The user was only asked for MFA on the first day. The frequency settings worked for the user on a different computer.
I focus on the device investigation, and noticed majority affected users were working on Device Compliance "Error" computer.
Some of them may also have Antivirus error.
However, even I run sync, turn on and off firewall to force the device resync for the new changes, even successfully turned error to green compliant, the user still have to MFA every time opens SharePoint.
Hope someone can help on the issue.
Troubleshooting step took:
I excluded affected users from the "MFA conditional policy". This morning these users signed in without promoted for MFA anymore. Therefore, the policy affect the behaviour is the "MFA conditional policy". Any other MFA related policy wouldn't trigger MFA at all or MFA repeatedly.
In this "MFA conditional policy", we apply to all cloud apps, any devices without exclusions.
Seems to me the issue could be devices related. May be some devices are "not compliant" and "not managed"?
