How to use Andoid phone as virtual MFA device for Azure portal login prompt.
https://learn.microsoft.com/en-in/azure/multi-factor-authentication/multi-factor-authentication
I see, there is an option to use smart phone in that tutorial but not much on how to use it.
Also in this link https://learn.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to , can't find such options in azure dashboard
Thanks in advance
Do you want to enable MFA for your Azure account and install APP on your Android phone?
If I understand it correctly, we can login your Azure portal, and select Multi-Factor Authentication, like this screenshot:
More information about to enable MFA for Azure AD account, please refer to this article.
After MFA enabled, we should login https://myapps.microsoft.com, and select profile then select Additional security verification, like this:
In that page, you will find the configure settings:
After that, we can use this Microsoft Authenticator APP on your Android device.
Update:
Update2:
If your first account is Microsoft account, we can't enable MFA in Azure portal, because Microsoft Account MFA different with Azure AD MFA. About Microsoft account MFA, we can follow this article to enable it.
Related
I want to access the outlook API with a Python application. I followed this guide but quickly ran into authentication issues. Tried it with my existing private Microsoft account and with a new created account, but ran into authentication issues quickly. Whenever I try to do anything in the portal, I get this message:
Already checked in with the general Microsoft support. They directed me towards Azure support, but I can't reach anybody there.
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Microsoft personal account is not added as an external/guest user to an Azure AD tenant.
To resolve the error, contact the Global admin to invite the account as a guest user like below:
Once the admin invites, you will get an email notification to accept the invitation like below:
After accepting the invite, the Personal Microsoft account will be added to the tenant successfully like below:
And now you will be able to access the Azure Portal without any issue and you can also create your own tenant to have admin access.
If still the issue persists, try the below:
Sign out from the active session and sign in incognito window or any different browser.
Clear browser cache and cookies and try.
Confirm whether the admin has set any External user settings that is restricting the access:
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
When looking into the Build Python apps with Microsoft Graph tutorial that you followed, one of the pre-requisites mentioned signing up for the Microsoft 365 Developer Program to get a free Microsoft 365 subscription. After you sign-up, you'll need to use the Microsoft 365 developer sandbox credentials in order to continue following the tutorial without having to leverage your own Azure AD tenant or subscription (pay-as-you-go).
Build Python apps with Microsoft Graph:
Join the Microsoft 365 Developer Program
Deploy the Developer Sandbox
Using the Microsoft 365 Developer subscription(s) info you'll be able to login to the Azure Portal or Azure Active Directory admin center.
Note: You can navigate to your developer tenant using - https://aad.portal.azure.com/<<SandboxTenantName>>.onmicrosoft.com, or when prompted to sign in use your sandboxes' admin account.
If you only signed up for a new personal Microsoft account (Outlook), you'll notice that once you sign into the Azure AD Admin Center, your Outlook.com user isn't associated with any Azure tenants, and you'll run into the authentication issue error message that you referenced, so you'll have to create your own Azure AD tenant by signing up for an Azure Free Trial or Pay-as-you-go.
I hope this helps!
With Multi-Factor Authentication enabled Azure portal, it requires users to approve every login in users’ Authenticator App.
When I changed my phone, Authenticator app must be migrated to my new phone. I used Back and Recover function of Authenticator app. I backed up and recovered account details to new phone. As work or school accounts, the migration process requires Additional Security Verification, which requires to rescan all QR codes of all accounts in Authenticator app. I have rescanned all QR codes of work or school accounts that I created.
Now my issue for this migration is Azure AD B2C account. It was created by Azure when I created Azure AD B2C directory. The name of the account in Authenticator app is admin_mydomain.com#EXT##mydomain.onmicrosoft.com. It is not a work or school account. From the name, it may relate to my Azure login account (admin#mydomain.com a work or school account). I have spent many hours for it. But I still don’t know where this special account details stored. So I can’t get the QR code of the account for Authenticator app. I can’t finish my Authenticator app migration.
This account authentication is required when I switch from Azure primary directory to Azure AD B2C directory in Azure portal.
Please help me with this issue. Thanks.
[UPDATE] I just realized that what worked for me, ist the the solution Alfredo R already posted! So I can confirm that this works.
While I'm still struggeling to revalidate my [username]#[custom-domain].onmicrosoft.com account, I think I found a solution for the AAD B2C problem:
Login to https://myaccount.microsoft.com/
Main menu "Securityinformation" will show you registered devices for your current organization
Main menu "Organizations": You should at least see the other organization of the B2C tenant
In the top right menu, click your avatar, and switch organizations, and swtich to the B2C tenant
The UI should be the same, but now your're logged in through the B2C tenant
Go back to "Securityinformation" and add your new device
I was lucky that my old device is still working, so I could switch easily organizations. If you can't switch because of MFA and no access to your old device, I think you still need to disable MFA in the B2C tenant as described the other solution and then turn it back on?
But I think thats the way to get the QR code for a B2C tenant, login to your account and switch to the B2C tenant by switching organizations.
admin_mydomain.com#EXT##mydomain.onmicrosoft.com is the UPN (user principal name) for the user hosted in the Azure B2C tenant for your work account admin#mydomain.com. Scan QR as with others but switching first to the B2C tenant.
There are a few steps need to fix this issue.
Need a global admin account of Azure AD B2C active directory. But You can’t use the one that you are going to migrate. Please create one if there is no other global admin account available.
Go to Azure Active Directory of Azure AD B2C directory. Please click on the Properties in the left main menu. Then go to the bottom of the Properties page. Click on the link: Manage security defaults. Disable security defaults and save on the popup window.
Run local PowerShell as local admin. Run following cmdlet to connect to Azure AD B2C active directory.
PS C:\WINDOWS\system32> Connect-MsolService
MAF login will ask for user name and password. Please use the credential of the global
admin account mentioned above. If there is no error appear, run the following cmdlet:
PS C:\WINDOWS\system32> Set-MsolUser -UserPrincipalName
admin_mydomain.com#EXT##mydomain.onmicrosoft.com -StrongAuthenticationMethods #()
Go back to Azure Active Directory of Azure AD B2C tenant > Properties of the left main menu > the bottom of the Properties page > click the link: Manage security defaults. Enable security defaults and save.
Login to Azure portal with admin#mydomain.com, then switch to Azure AD B2C directory. You will see a popup security setting wizard. That is same wizard as we first set up the directory. Please follow the wizard. You will see the QR code for admin_mydomain.com#EXT##mydomain.onmicrosoft.com. You can scan the QR code to finish the MS Authenticator migration.
Is it possible to use Multi-Factor Authentication when login to Windows 10 with Azure AD Account?
I have a Windows10 PC which joined Azure AD during the first boot after OS installation(OOBE).
I wish to use 2-Factor Authentication everytime I login to Windows10, but I could not find a way to achieve it.
I know that Azure AD and Intune can be configured to enforce 2FA when "joining" Azure AD, but it does not enforce it at a normal login.
https://learn.microsoft.com/en-us/intune/multi-factor-authentication
I also enabled Multi Factor Authentication on Azure AD as described below, but it only applies to online services(Office365 etc.) and not Windows10 login.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
I see that with Microsoft Account, 2FA can be enabled on the account setting page, but this setting is not available for Azure AD Account.
https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification
None of the above helps to achieve what I wish to do.
I appreciate if anyone can tell me if it is ever possible or not with some reference.
Unfortunately,there isn't a way to achieve this except using Windows Hello for Business for now.
You can upvote this idea in this feedback forum and Azure Team will review it.
Hope this helps!
I couldn't find a way to require the user to do MFA authentication when using Microsoft Account login. Am I missing something?
Azure AD provides a way to achieve this. Is this something that is coming in the future?
It is possible that requires MFA when using a Microsoft Account to log in the Azure AD managed applications. You can configure the MFA and location based access rules on the Azure classic portal like following:
If the Microsoft Account users are members of the application assigned user groups, then he/she will get prompt to complete MFA before they can access the application on the Access Panel (https://myapps.microsoft.com), like below:
I'm trying to enable the Multi-Factor Authentication on my Azure account, (To secure my access to the Azure portal), i am following the tutorial from here, but, unlike this picture :
I have no Enable button when I select my user:
I've tried to send a csv bulk request with only my user (the email address), but it says user does not exists.
I am trying to add MFA on the user william#[something].com when i'm logged with the william#[something].com MS account (i am the only one user, and i'm global administrator)
In the MFA management page, you can only manage/enable MFA for your own Microsoft Azure AD Accounts, including accounts creating in Azure AD or synced from your on-premise AD; not any Microsoft Account or accounts from other Microsoft Azure AD. As you said you're using a MS account, you surely can't see the enable button.
In Azure Classic Portal, you can easily see if it's a Microsoft account or a Microsoft Azure Active Directory account:
If you want to enable this for your Microsoft account, you need to use Microsoft service at here ,sign in and then click Set up two-step verification.
Follow steps afterwards, you'll enable Two-step Verification it for your Microsoft account.
Of course you can create a new account in your Microsoft Azure Active Directory (Type of User is: New user in your organization), then you can enable MFA for this new user. If you would like a Global Admin, you can click this user and assign user Global Admin role. So then later you can use this admin account for your management work.