MFA automatically enabled on Azure AD B2C tenant

1
votes

I recently added an Azure AD B2C tenant to an existing subscription.

Whenever I want to manage that tenant on portal.azure.com, I have to verify my account:

MFA

After clicking Next I can only select Mobile app from the dropdown to verify my account. There is no option to verify by phone.

Since this tenant is new, I first have to register it in Microsoft Authenticator by selecting Set up:

Additional Security Verification

This brings up an error message without Correlation ID or timestamp:

Mobile app configuration unavailable

There are no Conditional Access policies. In fact, I cannot add any since this tenant does not have Azure AD Premium. Nor does the Azure AD tenant holding the subscription from which this AD B2C tenant was created.

No Conditional Access Policies

MFA is only required when trying to manage the AD B2C tenant through portal.azure.com, not on other applications, and not when accessing the Azure AD tenant.

Questions:

  • How can I disable MFA for this AD B2C tenant? And why was it enabled in the first place?
  • If MFA cannot be disabled, how can I register my device or phone number?

Thx,

4
azure-ad-b2cmulti-factor-authentication
I just created a new azure ad b2c tenant and didn't encounter such issue. Whenever I want to manage that tenant on portal.azure.com Can you explain more about this?Tony Ju
Sure, @TonyJu. I mean, when I go to portal.azure.com and log in with a global administrator of my AD B2C Tenant, I get the MFA popup. I have two global administrators. One is local member of the AD B2C tenant, the other member of the AD tenant from which the AD B2C tenant was originally created. Both have the same issue.flip
Can you go to Azure Active Directory->users->multi-factor Authentication to disable the multi-factor authentication?Tony Ju
I can reach that page, @TonyJu, but MFA-STATUS is 'Disabled' for all users. I have Enabled MFA for one global admin, logged on and back off in a private session, Disabled MFA again, and logged on again in a private session. The issue persists.flip
If you create a new user, will that user need additional security verification?Tony Ju

4 Answers

0
votes

I think your answer @flip is part of the riddle. You're in effect pre-registering your phone number so when forced to setup MFA you're granted the additional TEXT options. We've noticed variations in the AAD join processes where sometimes you're prompted to enter a phone number prior to this step, and sometimes not.

For example if you log on to a device as a local user and join AAD as illustrated you can get both scenarios. I think the same is true for new build as in a previous Test we had to enter a mobile number but I can't recall exactly which scenario.

AAD join scenarios

However, after several more days with Azure support we've managed to isolate root cause if anyone is interested. Turns out MFA IS being enforced through "Security Defaults" (https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). MS have actually just updated their article TODAY to clarify.

In effect, disabling Security Defaults will stop the enforcement although be wary not to confuse the prompts with Windows Hello setup as we were (we tested by disabling completely via Group Policy). I'm convinced however this wasn't the case a week ago and something's been changed behind the scenes recently.

Bottom line, you're going to have to deploy MFA in some form to join AAD unless you disable Security Defaults. Not great for endpoint migration but at least we know where it's coming from now.

1
votes

The issue is resolved. Not sure if Azure Support took action without notifying, or because of what I did. Anyway, here are the steps I took:

  • On portal.azure.com, go to Azure AD > Users > Multi-Factor Authentication. (It's in the top menu.)
    Multi-Factor Authentication

  • The Multi-Factor Authentication page opens in a new browser window.
    Enable MFA for the user account with the issue.

  • Logon with that account on account.activedirectory.windowsazure.com.
  • Click your account in the top-right corner to open a dropdown menu and select Profile.
  • Select 'Additional Security Verification'.
    All verification options are available here, including call, text, or use mobile app (Microsoft Authenticator).
  • Complete the Additional Security Verification and make sure MFA works.
  • Go back to Azure AD > Users Multi-Factor Authentication, and Disable MFA again.

In our case, MFA was set to Disabled for all users but active anyway, both for local accounts in the AD B2C tenant and External Active Directory accounts.

MFA status of External Active Directory users cannot be changed on the Multi-Factor Authentication page of the AD B2C tenant. This has to be done in the Azure AD page of their respective AD tenant.

The problem is solved, but the cause is undetermined. We do not have an AD Premium subscription and should not have access to the MFA feature at all.

0
votes

I think we may have partly figured this out. In our instance, disabling MDM User Scope allowed logon without any 'Additional Security Verification' being enforced. We don't have an InTune subscription either but this is under AAD > Mobility (MDM and MAM). It does mean however, devices aren't enrolled so where exactly MDM is picking up this configuration from is the next question. Will be putting this to Azure support when they call us again tomorrow!

MDM configuration

0
votes

Azure AD tenant comes with security default settings. You will have to disable this setting in the active directory.

Active directory > properties > Manage security defaults > toggle to No

this will disable the default MFA setup.

enter image description here