简体繁体 English

Azure AD B2C MFA 强制执行不起作用

[英]Azure AD B2C MFA enforcement doesn't work

原文 2022-05-31 13:30:47 6 2 azure-active-directory/ azure-ad-b2c/ multi-factor-authentication

We want to have some users required to use MFA and some users that can log without.我们希望有一些需要使用 MFA 的用户和一些无需登录的用户。 For this we have two groups "MFA Required" and "MFA Not Required".为此，我们有两组“需要 MFA”和“不需要 MFA”。 When we want to active MFA for a user, we simply move them from one group to the other.当我们想为用户激活 MFA 时，我们只需将他们从一个组移动到另一个组。 We have a conditional access that enforces the MFA.我们有一个强制执行 MFA 的条件访问。

The includes/excludes:包括/不包括：

The grant:补助金：

The User flow:用户流：

The issue is that now I get the MFA screen for all users.问题是现在我得到了所有用户的 MFA 屏幕。 The "MFA Enforcement" even says "Conditional delegates the MFA decision to conditional access policies." “MFA Enforcement”甚至说“Conditional 将 MFA 决定委托给条件访问策略”。 when hovering above the "i".当悬停在“i”上方时。 When I check the option "Enforce conditional access policies" in the User Flow nothing changes.当我在用户流程中选中“强制执行条件访问策略”选项时，没有任何变化。

What is going on here?这里发生了什么？ I feel I'm missing something, but I can't find anything online.我觉得我错过了一些东西，但我在网上找不到任何东西。

EDIT: I checked the audit logs in azure and when I log in with the user from "MFA Required" I see this:编辑：我检查了 azure 中的审核日志，当我从“需要 MFA”的用户登录时，我看到了这个：

And for the user from "MFA Not Required" I see this:对于来自“不需要 MFA”的用户，我看到了这一点：

I still get the MFA screen for both though.不过，我仍然得到了两者的 MFA 屏幕。

2 个解决方案

The reason behind getting MFA screen for all users may be due to below:为所有用户获取 MFA 屏幕的原因可能是以下原因：

Check whether you have enabled per-user MFA to the users.检查您是否为用户启用了每用户 MFA 。

Please note that, if you are conditional access policies you should not enable/enforce per-user Azure Ad MFA.请注意，如果您是条件访问策略，则不应启用/强制执行每用户 Azure Ad MFA。
If you have enabled that option, the user might get MFA screen even they are excluded via conditional access policies.如果您启用了该选项，即使通过条件访问策略将用户排除在外，用户也可能会看到MFA 屏幕。
Check whether you have enabled security defaults option.检查您是否启用了安全默认选项。 If enabled, make sure to disable it.如果启用，请确保将其禁用。

Please check whether Self-Service Password Reset is enabled.请检查是否启用了自助密码重置。 Make sure to disable it.确保禁用它。

For more in detail, please refer below links:更多详细信息，请参考以下链接：

Enable per-user Multi-Factor Authentication - Azure Active Directory | 启用每用户多重身份验证 - Azure Active Directory | Microsoft Docs 微软文档

Disable Azure AD MFA Interrupt Mode for a group of users - Stack Overflow 为一组用户禁用 Azure AD MFA 中断模式 - Thinbug

RukminiMr-MT answer helped me gather a lot of information. RukminiMr-MT 的回答帮助我收集了很多信息。

I had contacts with people from Microsoft and the thing is that when you use the Authenticator app as MFA option every user will have to register their authenticator app as MFA solution the next/first time they log in (after the change).我与 Microsoft 的人员有过联系，问题是当您使用 Authenticator 应用程序作为 MFA 选项时，每个用户都必须在下次/第一次登录（更改后）时将其身份验证器应用程序注册为 MFA 解决方案。

After they registered it for the first time they'll never get the MFA screen again.在他们第一次注册后，他们将永远不会再获得 MFA 屏幕。 It's just a one time thing.这只是一次性的事情。 The second time they log in, only the users from my MFA list get the MFA screen.他们第二次登录时，只有我的 MFA 列表中的用户才能看到 MFA 屏幕。

Check the date of this answer, since there are items in preview everything I just said might already have changed.检查此答案的日期，因为预览中有项目我刚才所说的一切可能已经改变。