MFA Still Applied to user - when Conditional Access is excluded for user?

When you have a conditional access policy that requires MFA, like shown below:













However when that account is excluded from that policy they are still unable to login without MFA, the error they get is:

"More information required, Your organization needs more information to keep your account secure"

You end up scratching your head as to why this is happening fear not, drop yourself into the sign-in logs ands you should see an "interrupted" event for this issue which when clicked on looks like this:






Fear not people click on the Authentication details tab like below and notice that the source is coming from "Identity Protection" not "Conditional Access" this will tell you that its not conditional access that is causing this error.........so read on people.......








The reason why user is being prompted to registered for MFA by presenting More information required page, is due to the MFA Registration policy configured in Azure AD Identity Protection.

If MFA is not needed for the user, the user account needs to be excluded from this policy, as mentioned below:

  1. Navigate to the Azure portal.
  2. Browse to Azure Active Directory > Security > Identity Protection > MFA registration policy.
  3. Under Assignments
  4. Users 
  5. Click Exclude
  6. Add your user in question
  7. Save

You all know the policy, hidden away in Azure AD under the security and identity protection, that is Enforced and the last place you would expect to look, this is the gatekeeper that kicks in even before it gets to Conditional Access......