I had a mysterious case of the famous "Your Organisation Needs More Information To Keep Your Account Secure" that applied to new accounts that never used to trigger before, by the power of grey skull what is this all about, well if you do not know what I am talking about, its this:
This is the famous "multifactor registration" screen which will be trigged when you use a cloud application that is in the Office 365 umbrella or a Enterprise application that is part of a SSO requirement.
Conditional Access : The way it should work
The MFA process and the MFA Enrollment should these days be controlled by Conditional Access, as Conditional Access is an identity service that applies policy based on the user identity, nothing wrong with that, but remember Conditional Access need to know who you are before it can apply a policy to you.......
Conditional Access : Named Locations
That is the key here, however many organisation have a "named location" in conditional access that is excluded from the "networks" from the MFA enforcement, this is where the Named locations is located.....
However when you add a list of IP address ensure that they are not trusted unless you actually trust them, and by that I do not mean "least administrative effort" trusts....the red box indicates that here I do.......
Anyway I digress, this is just laying the foundations, if conditional access is applying the MFA and the MFA registration you will see in one of your many policies that under the "Grant" section you will have "Require multifactor Authentication" enabled, this will both control MFA usage and registration, sweet.
Review sign in logs
If you look at one of these sign in entries you will notice that all the conditional access polices say "not applied" as below, how weird, or is it.......
So this tells us that something other than conditional access is forcing the MFA registration page, right well now we need figure out what that is, so to figure that out, pop yourself in the authentication tab on that request and you will see this:
Right so the cause of this is not conditional access, but Identity Protection, so we are looking in the wrong place, nice so lets pop to Identity Protection which first is Azure Active Directory or AAD...
Then once here choose Security from the menu......
Then from Protect you want Identity Protection........
Then from here you require the final option of Multifactor authentication registration policy as below:
Finally if you click on the users applied to, the bit where the black box is you will see
The list of people and groups, or more the group in the case will contain either a Active Directory (AD) or Azure Active Directory (AAD) group that will be forcing users in that group to complete multifactor registration which will be done outside of conditional access.
Identity Protection is one of those services that sits before conditional access which means this particular policy (amongst others) will kick is before conditional access and the "Authentication tab" will tell you where this is being activated that is linked to the sign-in request.
Remove the group from the Identity Protection policy and that gave control back to conditional access which no longer exhibited the issues outlined earlier, remember to fix issues you need to understand the technology stack end-to-end and not "bits of it".