Hey everyone! I'm reaching out for some assistance with a frustrating issue. Our employees are required to sign up for the Microsoft Authenticator App as part of Microsoft's MFA rollout. However, they keep encountering an error when trying to do so (I can't share the image that shows the error). We suspect that some conditional access policies we have in place are blocking a necessary resource during the signup process. When we exempt users from these policies, they can register without a hitch. The error occurs when users attempt to 'secure their account,' and while this issue doesn't show up in the sign-in logs in Entra, we're stumped on what specific resources to unblock. Currently, we've exempted the following: Windows Cloud Log-In, Azure Virtual Desktop, Microsoft App Access Panel, and Azure Windows VM Sign-In. This is tied to a compliant device policy aimed at allowing non-compliant devices to connect to AVDs. Any insights on what else we can exempt to help with the Authenticator signup? Thanks a lot!
1 Answer
To get users set up with Microsoft Authenticator, ensure the following resources are accounted for:
1. **My Sign-Ins App (AppId: 19db86c3-b2b9-44cc-b339-36da233a3be2)** - This is needed for the security info registration flow and can’t be excluded from Conditional Access.
2. **Security Info Registration (User Action)** - You can manage this under 'User Actions > Register security information' in your Conditional Access policies.
3. **MFA Registration Campaign Policy** - If a registration campaign is being run, make sure users you want to exclude from the prompts aren’t included in this campaign.
4. **Authentication Methods Policy** - Confirm that users are allowed to use Microsoft Authenticator and aren't set to passwordless-only options.
I understand your frustration! Just to add context, I can't exclude those apps either since they are mandatory. Plus, it's not our campaign, so excluding users isn’t an option.