I am trying to switch directories in Azure but it prompts me to approve the request on the authenticator application. However, I have removed that entry from the authenticator application.
When i try to sign a different way it still prompts me to use the authenticator app
It seems that you did not set a phone number at the last step when you added the authenticator.
So, just as #juunas mentioned in the comment, you need to contact other admins to reset your MFA settings from Azure portal:
You can set up your Authenticator again going to: https://aka.ms/mfasetup but you probably need to have your AAD administrator Require re-register MFA again since you wont be able to login there without the MFA if you are not already logged in.
Related
For our B2C Tennant we want to let our customers make use of the Microsoft Authenticator app. When doing research, we noticed that it was not possible to add the Authenticator App for existing users without disabling phone/text message authentication.
This is not an acceptable situation for us since that means that someone with customer credentials can take over the enrolment flow.
A MS engineer suggested the following:
The desired situation should be possible with a “Registration
campaign” -
https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/RegistrationCampaign
Users will go through their regular sign-in, perform multifactor
authentication as usual, and then be prompted to set up Microsoft
Authenticator.
However, we enabled this option as described in the Documentation, but after an existing user signs in no Authenticator App Flow is started.
Does someone have experience how we can make this work?
As far as I know, even after enabling MFA if existing users don't receive authenticator app approval, please try below steps:
There is a chance of where your users selected “Stay signed in” while logging into their accounts. By doing this their devices will be treated as remembered device that suspends enabling MFA.
While enabling MFA if you set Remember MFA on trusted device , then the user won't get prompts until the duration expires
To resolve the issue, try clearing all old sessions history, by enabling “Revoke MFA sessions”
If the issue still persists, try enabling Re-register MFA, that asks the users to set up a new MFA authentication method when they sign-in.
For more reference, please find the below links :
Enable multifactor authentication in Azure Active Directory B2C
Manage user authentication options
I am using Azure services and Azure AD Free (my personal account).
I have setup a tenant and I am Global Admin. I have enabled Security Default in the tenant. Hence, I assume MFA is enabled for all the tenant's users.
When I signin to Azure Portal with Global Admin sometime I get not prompted for MFA; maybe is this because the browser send a cookie? Or maybe because MFA is not always triggered?
Also, if I open an incognito window I get prompted for a code, received via email. My question here is why email? As per MFA AAD doc the email method is NOT an MFA channel!
Please check if below are the reasons behind not getting the prompt for second verification even MFA is enabled:
Please check if you are a member of any exception group. To avoid lockout situation, Microsoft mostly suggest excluding global admin account while enabling MFA. If you done like that, remove your account from exception group.
There is also a possibility where you selected checkbox saying “Stay signed in” while logging into your account. Then it will treat your device as remembered device and suspends enabling MFA. Also please check below screenshot whether you have enabled this option (Remember MFA on trusted device). If you enabled that, you won’t get prompts until the duration of days you have given expires.
To remove all those sessions, enable “Revoke MFA sessions” which clears all remembered sessions history and asks for second verification.
As you already mentioned, MFA code won’t be sent via email.
From this Microsoft Doc,
Email address is only used for Self-Service Password Reset (SSPR) not
for authentication.
There is also a possibility where your password is expired and it’s sending you a code to your email to reset it as you have given it as recovery option.
NOTE:
As you are enabling Security Defaults, please note that you won't be getting MFA prompts every time. Azure AD decides when a user will be prompted for MFA, based on factors such as location, device, role and task.
For suppose, if you are accessing from different location and seemed suspicious means, definitely you will get prompt otherwise you won't. If you need MFA prompts in particular, make use of Conditional access policies that need Azure AD Premium licenses.
Quite new to B2C and have setup custom policies which did seem to be working ok.
Since adding the reset password functionality: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy
I have found that local user accounts can sign up and it will sign them in but will not let them log in again.
Same happens for resetting the password. It all goes through the user can log in and then on next login it doesn't accept the creds.
B2C audit logs shows the password reset as a success... not sure what I am missing?
EDIT: I checked on another tenant I was testing on which I had not setup the password reset yet and have the same issue with local user account creation.
The only piece that is different to the examples is that I have multi-tenant azure AD idp setup.
Any help will be much appreciated
Sounds like you did not complete the setup for the proxyief and ief app registrations correctly. https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications
Delete your proxyief and ief app registrations, then use my tool to reprovision them: https://aka.ms/iefsetup
After reprovisioing, test after a few minutes.
It will overwrite your custom policy files, so download them back and setup the AAD multi tenant technical profile again afterwards.
Application ID's needed to be added to the technical profile of trusedbaseextensions file for non interactive logins.
Application ID's for both app registrations mentioned.
I'm using Office 365 Business Premium for my test. From a couple of days ago, I've gotten prompt for Authentication code (see below) after enter my password when I try to sign-in.
MFA prompt
It seems like MFA became enabled suddenly although I didn't anything such a configuration. I doubt my account is possibly violated.
Is there any way to recovery from this situation?
Thanks
Kaypyosh
If you lost your phone you will need to reach out to your administrator to reset your information.
The Authenticator app is designed so that you have to prove your identity, so it will require the admin reset if Authenticator MFA is enforced.
If you are the only global admin on the tenant then you can reach the Azure data protection team to get this resolved.
Azure Data Protection number (866-807-5850)
However, if there is a second global admin you will need to reach out to that person to reset the settings. Please refer to this similar one
Only the global admin is able to set up or modify MFA.
You can turn off MFA by following the steps:
1.Go to the Office 365 admin center.
2.Go to Users > Active users.
3.Choose More > Setup Azure multi-factor auth.
4.Check your account.
5.Click Disable on the right.
Please check here
I have a native app (Electron) where I have integrated Azure AD v2.0 Sign in experience. We have only enabled Microsoft Account based sign in for now.
Here's my sign in URL looks like:
const url = `https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=<my-application-id>&response_type=id_token&redirect_uri=${encodeURIComponent('urn:ietf:wg:oauth:2.0:oob')}&scope=openid%20profile%20email&response_mode=fragment&nonce=<some-random-value&state=<some-random-value>`;
Using this link, a user can sign in successfully. There're no issues there. However every time a user signs in, they are presented with a consent dialog after providing their credentials.
Based on my knowledge, if a user has consented to an app and there're no change in the permissions (rather scopes) asked by the app, then the user should not be prompted to consent again.
I'm wondering why this is happening. I even tried with appending prompt=login to the URL but that has no effect.
Is there another setting that I need to make? I looked at both the old portal (Microsoft Application Registration Portal) as well as new portal (App Registration (Preview) in Azure Portal) but could not find a setting that will disable the consent prompt on every sign in.
The behavior you are seeing is due to the fact that you are using a reply URL with a scheme that is not "http" or "https" ("urn", in your case). In this situation, Microsoft Accounts will ask the user to confirm the the delegated permissions the app is requesting, even if these permissions have been granted previously. This additional prompt helps make sure users know which app the app is identifying as.
In most native client app scenarios, this should not be a significant issue. It will add an extra step during the initial sign-in to the app, but after that, the app should be able to make use of the refresh token for most token acquisitions. (Occasionally, the app may need to trigger an interactive sign-in again, but this would be relatively rare.)
If you look very closely, you'll notice a slight difference between the initial consent prompt ("...needs your permission to..."), and the subsequent confirmation prompt ("... needs you to confirm its permission to...").