MFA is disabled, but your Users are still being forced to enable it.
Microsoft 365 can have MFA disabled; the User never installed/used the Microsoft Authenticator app … yet, your User is being forced into this sign-in flow. What is going on?
Microsoft 365 is more popular than ever. People are comfortable working in Microsoft Office, and managers are deciding to implement the service in their organizations. We spend A LOT of time working with Google Workspace and Microsoft 365. Google Workspace is significantly easier on administrators. Microsoft 365, Azure AD, and dozens of views into dozens of Admin consoles, multiple PowerShell modules … regular PowerShell, and Exchange Management Powershell. It’s never-ending.
Conditional Access (hidden..?)
Sign-in logs can be a great resource for determining what might force the MFA prompt. Frustratingly there are some “hidden” types of Conditional Access. MFA can be explicitly enforced even though it’s explicitly disabled! Good times.
This might result from the “Microsoft App Access Panel” application. Multiple conditions can trigger this. The culprit is often that Enable Azure Active Directory self-service password reset (SSPR) has been enabled – you’ll need to disable this, and your Users should soon be able to log in as you’d expect based on the settings in your admin.microsoft.com control panel.
