[Azure AD] Authentication - MFA User state and Conditional Access

MicrosoftGuyJFlo · MicrosoftGuyJFlo · commit e5fd50f6f4d7 · 2019-11-25T14:05:52.000-08:00
diff --git a/articles/active-directory/authentication/howto-mfa-userstates.md b/articles/active-directory/authentication/howto-mfa-userstates.md
@@ -38,11 +38,14 @@ Enabled by Azure AD Identity Protection - This method uses the Azure AD Identity
 
 User accounts in Azure Multi-Factor Authentication have the following three distinct states:
 
+> [!IMPORTANT]
+> Enabling Azure MFA through a Conditional Access policy will not change the state of the user. Do not be alarmed users appear disabled. Conditional Access does not change the state. **Organizations should not enable or enforce users if they are utilizing Conditional Access policies.**
+
 | Status | Description | Non-browser apps affected | Browser apps affected | Modern authentication affected |
-|:---:|:---:|:---:|:--:|:--:|
-| Disabled |The default state for a new user not enrolled in Azure MFA. |No |No |No |
-| Enabled |The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. |No.  They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
-| Enforced |The user has been enrolled and has completed the registration process for Azure MFA. |Yes. Apps require app passwords. |Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
+|:---:| --- |:---:|:--:|:--:|
+| Disabled | The default state for a new user not enrolled in Azure MFA. | No | No | No |
+| Enabled | The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. | No.  They continue to work until the registration process is completed. | Yes. After the session expires, Azure MFA registration is required.| Yes. After the access token expires, Azure MFA registration is required. |
+| Enforced | The user has been enrolled and has completed the registration process for Azure MFA. | Yes. Apps require app passwords. | Yes. Azure MFA is required at login. | Yes. Azure MFA is required at login. |
 
 A user's state reflects whether an admin has enrolled them in Azure MFA, and whether they completed the registration process.
 
