question

TonySchultz-7167 avatar image
0 Votes"
TonySchultz-7167 asked DianaAyala commented

MFA Authentication Issues

So I've been banging my head against this for too long and am hoping someone can suggest something I haven't already tried.

Basically, I've got a user who is unable to set their MFA options. I can set them via the back end, but when they try to log on, they never receive a text or call. Here's what I've tried so far:

1). Ensured that the sign-in isn't blocked (and have also tried enabling/disabling to see if that helped -- it didn't).

2). Reset MFA via "Require Re-register MFA"

3). Tried multiple mobile numbers (including different providers), office numbers, and the authenticator app.

  1. Restarting my mobile phone (didn't think this was help, especially as none of the other mobiles phones/office phones worked either, but it was suggested, so I tried it anyway).

  2. Verified that when I tried changing stuff on my account's MFA settings, everything went swimmingly --which tells me it's almost certainly something to do with the account and not the MFA service).

When I set the primary authentication option (from portal.azure.com -> Users -> affected user -> Authentication Methods) to a phone number (Phone type: Mobile), I see the typical "We texted your phone +X XXXXXXXX47‎. Please enter the code to sign in." message, but no text ever comes through (and I've double- and triple-checked the number to make sure it's correct)

When I select the option to "Sign in a different way", and choose to have it call either the same number, or an alternate one I'd configured via the same method (Phone type: Office), I see the normal "We're calling your phone. Please answer it to continue.", but then I get a line of red text that states "We called your phone but didn't receive the expected response. Please try again." LIES. But at least then I'm able to view additional details:

Error Code: 500121
Request Id: 93c51ff7-b652-4777-abec-5aa117353100
Correlation Id: 3820b4e3-0a6a-4073-b706-926fb7247e9d
Timestamp: 2021-05-19T01:06:37Z

Searching for that error gets me a description of:

Error Code: 500121
Message: Authentication failed during strong authentication request.
Remediation: The user didn't complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or has an issue with their authentication setup.

So ... yeah, I'm stuck. If I set the users' MFA auth. options manually, they don't work. If I delete all MFA options, the user gets prompted to create set up their MFA options at next login, but isn't able to save them as doing so requires being able to successfully receive either a call or text from the MFA service. I've tried having them install the MS Authenticator app as well, but when the MFA site generates the QR Code, the Authenticator app just tells me:

Unable to add the account.
We couldn't add the account. Please verify that the activation code is correct and push notifications are enabled on your device for this app" (it is).

Likewise, if I try to manually enter the code and URL, the app tells me "QR code already used. You've already used this QR code to add an account. Generate a new QR code and try again."

...

Again, MFA is working for all of the other 100+ people in the office, but not this one person and for the life of me, I just don't know why. So if anyone can think of or suggest something I haven't tried yet, it'd be very much appreciated (especially if it fixes the issue).

azure-ad-multi-factor-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WE have had many of these similar issues: we normally confirm that the use is signing in using the correct profile. Often users configure MFA in a browser that is synced to a specific profile. When they configure MFA they often do not confirm they are signed in with the correct credentials. Example: I have a work profile User-work@company.com and it is synced to my Edge/Chrome browser. I also have a test profile user-test@testtenant.com and it is synced to my edge/chrome browser. If I open my signIns, it will sign in to the profile I'm synced to and will not prompt for credentials because I use SSO.

I generally walk customers through verifying they are using and signed in to the correct profile. I walk them through removing the MS AUTH App from the portal and the account from the MS AUTH APP. Then we restart the process 99% this resolves the issue.

Lastly we encourage the use of dedicated profiles in the users' browser to help avoid what I might say "cross-accessed' sites in a single browser. I hope this is helpful.

0 Votes 0 ·
TonySchultz-7167 avatar image
0 Votes"
TonySchultz-7167 answered

Resolved the issue. The account was blocked for sign-in and I was just looking in the wrong place.

Turns out that I was looking at AzureAD -> Users -> "Joe User" and thinking that under 'Settings' where it says 'Block sign in' (which was set to No) determined MFA block status. If I had looked under AzureAD -> Security -> MFA -> Block/Unblock Users, I would've seen that her account was blocked there. So, yeah. Yay for learning.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
1 Vote"
michev answered TonySchultz-7167 commented

Get the user to try directly via aka.ms/proofup, if that doesnt work either best open a support case.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Unfortunately, I got the same result as from https://aka.ms/MFASetup, but thank you for the suggestion (I wasn't aware of the aka.ms/proofup link). I'll go ahead and open a case with MS and post the answer back here once it gets sorted out.

0 Votes 0 ·