I'm managing an Entra ID with a standard MFA policy that applies to all users, but I'm puzzled by a recent incident. We have a conditional access policy that requires multi-factor authentication for all apps and networks, and I've set the sign-in frequency to every 7 days. A user tried to log into Teams on their iPhone using the Microsoft Authenticator app. After entering their password, they received a push notification with a 2-digit code but were also shown a different prompt asking if they were trying to log in, which wasn't from the Authenticator app. They clicked 'yes' and were granted access to Teams. I'm confused because the logs indicate a successful password entry but also show that the mobile app notification failed. How did this happen when the conditional access policy didn't seem to succeed and the user never entered the 2-digit code?
5 Answers
Since they're getting the Authenticator pop-up, it's possible that the app on their device isn’t requiring the 2-digit code if it’s the same device. You might want to check the notification history to see which app triggered the 'are you trying to log in' message—my bet is it’s still coming from the Authenticator.
What you’re observing is likely the interrupt event. Let’s focus on finding the actual success event to get the full picture.
It sounds like this might not actually be a failure of MFA, but rather a configuration quirk. Maybe the user was connecting through a VPN or there's been some environmental change. It’s tricky because Microsoft’s logs aren't always clear-cut. If you can access the user’s device, it might help to take a closer look at it. If it’s managed by your organization, consider wiping it to start fresh—could save you time.
Glad to know it’s not just me who gets baffled by these things!
Try looking at the 'Status' column instead of the 'Succeeded' column in the logs. It could show ‘Interrupted’ for the MFA prompt which means something interrupted the normal login flow.
Check if the user has multiple authentication methods set up on their Entra account. That 'success' status might mean they met the policy requirements through an alternative method besides the Microsoft Authenticator app. Users often surprise us with their workarounds!
I’m certain there are no networks that would allow bypassing MFA here, but I wonder if I misconfigured something. Can you explain how a failure would equal a success in this case?