I have an Entra ID set up with a general MFA policy for all users, which is applicable to every app and any network. The policy is configured to require multifactor authentication, without relying on authentication strength, and the sign-in frequency is set to every 7 days.
Recently, a user logged into Microsoft Teams on their iPhone using the official Microsoft Authenticator app. After entering their password, they received a push notification asking for a 2-digit code, but then they were prompted by a pop-up that asked if they were trying to login. This pop-up was not from the Microsoft Authenticator app. The user clicked 'Yes' and gained access to Teams despite the logs indicating that the mobile app notification had failed (authentication status was 'false'), yet the application showed a status of 'success'.
I'm puzzled as to how the user was able to log into Teams when it appeared that the conditional access policy didn't succeed, and they never entered the 2-digit code. Can anyone provide insight into how this might happen?
5 Answers
When the user sees the Authenticator pop-up, it's possible that the app doesn't require the 2-digit code if it's coming from the same device. Look for any notification history to see which app triggered the 'are you trying to login' pop-up. There’s a strong chance that it was the Authenticator app after all.
It seems like MFA isn't truly failing; it might be more about configuration issues or potential environmental changes. For example, if the user is on a VPN or there's something altered in their setup, it could affect the authentication process. Microsoft’s telemetry isn’t always straightforward, so if you can get access to the user's device, a thorough check-up might help. If it's a company device, consider resetting it completely, which could save time and headaches.
You might want to check if the user has multiple authentication methods set up. The 'success' result in the conditional access policy means whatever method they used met the policy requirements. It's possible that they have more than just the Microsoft Authenticator app enabled, which could explain the successful login.
Instead of focusing on the 'Succeeded' column in the logs, try checking the 'Status' column. It might show as 'Interrupted', indicating that the login flow was halted during the MFA prompt, which could offer more clarity on the situation.
You're likely dealing with an interrupt event. Make sure to look at those success events too, as they could give you a better picture of what really happened during the login attempt.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures