Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-05-31) Cloud-Based Azure AD MFA Notifications Not Working While You Already Registered

Posted by Jorge on 2019-05-31


After registering your security info in Azure AD, it may look like or be similar to:

REMARK: the security page looks like this because I have converged experience for MFA and SSPR enabled in AAD

image

Figure 1: Security Information In AAD To Be Able To Use MFA And SSPR (Converged Experience)

Now after navigating to an ADFS connected application and choosing the cloud-based Azure AD MFA on the MFA choice screen in ADFS, you may see a screen telling you the method is not available. In my ADFS it looks like displayed below.

REMARK: this has been customized by me. In a future blog post I will show how

image

Figure 2: (Custom) Error In ADFS Saying That The Account Is Not Registered For The Chosen MFA Method

The weird thing here is that you can see in figure 1 that the account is registered, but for some reason it is still failing as shown in figure 2. I know what the problem is and how to solve it, but do not understand why or when it happens. Although I have the Microsoft Authenticator app registered, you can also see the default sign-in method is set to “Phone – Text”. THAT may work when using SSPR, but in my case it will not work for MFA because I have “Text message to phone” disabled in the Multi-Factor Authentication service settings as displayed below.

image

Figure 3: The Configured Multi-Factor Authentication Service Settings In My AAD Tenant

To cut a long story and a long time of searching for a solution short, you can do the following to solve this.

  1. Navigate to https://aka.ms/setupsecurityinfo
  2. If on the right of the Default Sign-In Method you see a link called “Change”, then click that and skip steps 3 and 4 and 5
  3. If on the right of the Default Sign-In Method you DO NOT see a link called “Change”, then click on “Change” next to “Delete” for the Phone registration
  4. Just reregister the exact same (mobile) phone number. For confirmation you will receive a text message and you need to enter the code received to complete the process
  5. If on the right of the Default Sign-In Method you see a link called “Change”, then click that. If you do not, the go to step 7
  6. Change the default sign-in method to “Authenticator App – Notifications” (assumes you have a registration for the Microsoft Authenticator App)
  7. If MFA still does not work, then navigate to https://aka.ms/setupsecurityinfo and re-register the Microsoft Authenticator app with the account you used to log into AAD. There is no need to remove any existing registration in AAD or the account from the Microsoft Authenticator app. Any new registration will overwrite the existing registration.
  8. If on the right of the Default Sign-In Method you see a link called “Change”, then click that and choose the “Microsoft Authenticator App – Notification” method as the default sign-in method
  9. Try MFA again. It should work now.

The security information should look like or be similar to

image

Figure 4: Security Information In AAD To Be Able To Use MFA And SSPR (Converged Experience)

What I have seen is that after people register the Microsoft Authenticator app in the Security Information page in AAD, for many of them the default sign-in method is automatically changed to “Microsoft Authenticator App – Notifications”, but for some it remains with “Phone – Text”

Enjoy and have fun!,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: