Microsoft Teams
A Microsoft customizable chat-based workspace.
9,069 questions
Azure MFA not Blocking Phone Notifications
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 82%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Jon Covalt
96
Reputation points
We've enabled Azure MFA for our Office 365 by using conditional access policies. This works as intended, but we've discovered an unexpected issue.
Users who add their accounts to a mobile device still receive the full notifications for e-mails and Teams messages on their mobile devices, even if they don't authenticate again when their MFA token has timed out. This allows them to see e-mails and messages through their phone notifications despite the fact that they should not be even getting these until they re-authenticate.
For example, the attached image shows what one user is seeing on his phone. He has not re-authenticated in nearly a week, and our access policies state that he should have to do so every 24 hours. He says he can even click the arrow icons to expand these messages. While he is unable to respond to them without authenticating via MFA, this is definitely not the intended functionality; he shouldn't even be receiving messages without authenticating again.
Has anyone found a way to avoid this?
Microsoft Teams
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee2021-08-13T21:23:57+00:00 Just to clarify - are these all lockscreen messages?
-
Jon Covalt 96 Reputation points
2021-08-13T21:25:38.857+00:00 In this case, yes; these messages show on both the lock screen, and in the notifications when the phone is unlocked. While the user cannot click the message to open the application without authenticating, they can use the 'expand' option to view the messages in the notification area.
-
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
2021-08-13T21:35:01.723+00:00 I reported this to the Teams team and reached out to some contacts there as well. I will get back to you!
-
Sharon Zhao-MSFT 25,056 Reputation points Microsoft Vendor2021-08-16T07:04:42.023+00:00 Users who add their accounts to a mobile device still receive the full notifications for e-mails and Teams messages on their mobile devices
According to your description, it seems that not only Microsoft Teams, but also Outlook have the same problem. So, this problem could be related to Office 365. It is suggested to check if there is any related information of Service health in Microsoft 365 admin center > Health: Service health. For more details, please refer to How to check service health part in this link.
Besides, I tested in iOS 14.7.1 and Microsoft Teams version 3.12.1. It works properly even after enabling MFA. I also tested in Android device and still don't reproduce this problem.
Could you share with us which kind of mobile device do you use? And how many people in your tenant have the same problem?
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Jon Covalt 96 Reputation points
2021-08-17T15:29:00.01+00:00 1) I'm not seeing anything in the service health that should be affecting this.
2) The users who have reported this issue are using Android phones
3) We are still in an early trial phase for MFA, so not many people are configured for the conditional access policies. I have 2 users who have confirmed this behavior at this point, though there may be others I haven't had the chance to talk with yet.Just as a recap.
- We are using conditional access policies to control when users are prompted for MFA. These policies check whether their device is either compliant with Intune (for mobile devices) or Azure AD Hybrid enrolled (for Windows devices) to determine whether their device is managed.
- Our conditional access policies are configured to force users to authenticate with MFA once per day if they are on an unmanaged device.
- MFA is prompting users as expected, and will not allow users to respond to e-mails, or open the actual Outlook or Teams applications when they need to authenticate
- If a user doesn't authenticate when prompted, they are still getting notifications for individual Teams messages, and Outlook e-mails, that allow them to see message contents in their notifications. This is the issue, as they shouldn't even be getting individual notifications for these apps until they have signed back in using MFA.
-
Sharon Zhao-MSFT 25,056 Reputation points Microsoft Vendor
2021-08-19T08:45:15.203+00:00 @Jon Covalt ,
According to your description, this problem is not only related to Teams, but also Outlook. Obviously, it is not a simple Teams-side problem, might be involved with more apps. So, I will add azure-ad-multi-factor-authentication tag back. Hope MarileeTurscak-MSFT will give you more insights. -
Jon Covalt 96 Reputation points
2021-08-24T12:34:10.21+00:00 Has there been any other news on this item? It is not only affecting Teams, and so the Teams member kicked it back up to the general topic.
Sign in to comment