Jim Hill

My feedback

  1. 156 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    An error occurred while saving the comment
    Jim Hill commented  · 

    I figured out a solution! I am not sure if these are the exact steps I did. But the root cause was previously having a conditional access policy applied to that user.

    -Make sure the CA policy for MFA is not enabled. Mine was the Legacy rule, "Baseline policy: Require MFA for admins (Preview)"
    -Disable the MFA for that user in the Office 365 Admin.
    https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365
    -Create a new CA policy in Azure AD. Have it grant access and require MFA, and only apply just to that user.
    -Go back to the Office 365 MFA admin and enable then disable the MFA requirement for that user a few times. I did it four times. Leave with it disabled.
    -Return to Azure and remove that user from the CA policy requiring MFA. Leave it enabled but just not applied to any users.
    -Return to Office 365 admin and enable MFA for that user.
    -Initiate a screen sharing session with that user. Have them log into their MFA set up screen.
    https://aka.ms/MFASetup They will then see and be able to create a new app password.

    This took me a month to figure out, and my exact steps may not have been exactly as I said above. Hopefully the whole community can figure out the best way.

    An error occurred while saving the comment
    Jim Hill commented  · 

    This is extremely frustrating. I had one user assigned to a CA policy requiring MFA. Then I later disabled that policy. Now they cannot create an APP password. Wow, what a mess. This user is now locked out of key company systems unless I disable MFA, which I am reluctant to do because of constant attack against their IMAP login (which is needed for one legacy system we must use for the time being).

  2. 5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Monitor-Application Insights  ·  Flag idea as inappropriate…  ·  Admin →
    Jim Hill supported this idea  · 

Feedback and Knowledge Base