question

jonathon-0348 avatar image
0 Votes"
jonathon-0348 asked JamesTran-MSFT answered

Adding MFA to administrator accounts with the free account

hi,

i'm wanting to allow people to sign into my application using the microsoft oauth stuff. so i created a tennant, and created an app registration. however, i notice on the app registration page, a notice saying:

Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers. Add MPN ID to verify publisher

so i go and register an MPN ID, then come back to the app registration. and select

Add MPN ID to verify publisher

i add my MPN ID, and then it says:

You must use multi-factor authentication to proceed. Please ensure MFA is enforced for your account, and then sign in again using MFA. Please refer to this link for additional information.

sure, makes sense. so i go and add some additional authentication options to my account ... log out ... log back in ... however i'm not prompted for any additional MFA stuff. so i keep reading. oh, i need to enable MFA in the AD itself. righto. but wait, do i to have pay for this? ... and then i read:

Basic multi-factor authentication features are available to Microsoft 365 and Azure Active Directory (Azure AD) users and global administrators for no extra cost.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

oh, ok, great. so i spend a lot of time trying to figure out how to turn on AD MFA for "global administrators". i keep finding these articles that point me to "Security" and then "MFA" (makes sense!), but when i get there, it says

Get a free premium trial to use this feature

so i never did figure out how to turn on AD MFA for "global administrators". however, i didn't give up, and i kept reading, and i found:

All users in an Azure AD Free tenant can use Azure AD Multi-Factor Authentication by using security defaults. The mobile authentication app is the only method that can be used for Azure AD Multi-Factor Authentication when using Azure AD Free security defaults.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#azure-ad-free-tier

so if i turn on "security defaults", this will force me to use MFA, and the app registration will let me add an MPN ID ... except that "security defaults" was already turned on. sure enough:

If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant. To protect all of our users, security defaults are being rolled out to new tenants at creation.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#why-security-defaults

so this is where i'm at ... any tips on how i can:

use Azure AD Multi-Factor Authentication by using security defaults.

?

with thanks












azure-ad-identity-protection
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

jonathon-0348 avatar image
0 Votes"
jonathon-0348 answered JamesTran-MSFT commented

i figured it out.

you have to log in from a private/incognito window. then you'll get MFA.

cheers

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@jonathon-0348
Thank you for your detailed post and for following up on this!

I'm glad that you were able to resolve your issue, and thank you for posting your solution here so that others experiencing the same thing can easily find this!

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@jonathon-034
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Issue:
After creating your App registration, you noticed the below message, so you wanted to Mark your app as publisher verified by adding the MPN ID. Once you added the MPN ID you received a message saying You must use multi-factor authentication to proceed. Please ensure MFA is enforced for your account, and then sign in again using MFA..., since one of the Requirements of adding your MPN ID is to enable MFA. After researching you ended up enabling Security Defaults but were having issues since the feature was already enabled for your tenant.

Message:
Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers. Add MPN ID to verify publisher


Solution:

In order to resolve this, you had to login using MFA by using a Private/Incognito Window.


Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.