Hi, I have set up mfa on a domain for a client. I created a conditional access policy and included all users that are mobile phone users. We installed the app and tested. However. A couple of users (both iPhone) when they open up any 365 app, predominately outlook, get a message asking to open authenticator. then they get a password prompt and this, though verified as the users 365 password, fails. Anyone of you kind wizards have any advice on where i can go to check why this is happening? As a workaround i took them out of the policy and even put them in the exclude but it still does the same thing.<\/p>","upvoteCount":2,"answerCount":9,"datePublished":"2024-11-15T15:26:36.330Z","author":{"@type":"Person","name":"TerryFF","url":"https://community.spiceworks.com/u/TerryFF"},"acceptedAnswer":{"@type":"Answer","text":"

Advertisement

Close

It seems that the require mfa tick box has done the trick, thanks for the help, all<\/p>","upvoteCount":0,"datePublished":"2024-11-19T10:51:22.433Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/9","author":{"@type":"Person","name":"TerryFF","url":"https://community.spiceworks.com/u/TerryFF"}},"suggestedAnswer":[{"@type":"Answer","text":"

Advertisement

Close

Hi, I have set up mfa on a domain for a client. I created a conditional access policy and included all users that are mobile phone users. We installed the app and tested. However. A couple of users (both iPhone) when they open up any 365 app, predominately outlook, get a message asking to open authenticator. then they get a password prompt and this, though verified as the users 365 password, fails. Anyone of you kind wizards have any advice on where i can go to check why this is happening? As a workaround i took them out of the policy and even put them in the exclude but it still does the same thing.<\/p>","upvoteCount":2,"datePublished":"2024-11-15T15:26:36.405Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/1","author":{"@type":"Person","name":"TerryFF","url":"https://community.spiceworks.com/u/TerryFF"}},{"@type":"Answer","text":"

Delete the 365 account in Settings-Mail-Accounts, uninstall and re-install the authenticator app, sign in to authenticator app then re-add 365 account to phone.<\/p>","upvoteCount":1,"datePublished":"2024-11-15T15:45:40.133Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/2","author":{"@type":"Person","name":"Samael1","url":"https://community.spiceworks.com/u/Samael1"}},{"@type":"Answer","text":"

Have done that with same result.<\/p>","upvoteCount":0,"datePublished":"2024-11-15T16:32:09.946Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/3","author":{"@type":"Person","name":"TerryFF","url":"https://community.spiceworks.com/u/TerryFF"}},{"@type":"Answer","text":"

Well, actually the client said they deleted the app, unsure if they went that way, will find out.<\/p>","upvoteCount":1,"datePublished":"2024-11-15T16:33:09.072Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/4","author":{"@type":"Person","name":"TerryFF","url":"https://community.spiceworks.com/u/TerryFF"}},{"@type":"Answer","text":"

Have the user go to Sign in to your account<\/a>.
\nLogin and remove the phone from the auth.
\nThen have them re-add it through the same session.<\/p>","upvoteCount":2,"datePublished":"2024-11-15T17:40:29.494Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/5","author":{"@type":"Person","name":"Daffy-Admin","url":"https://community.spiceworks.com/u/Daffy-Admin"}},{"@type":"Answer","text":"

Tried that. I actually think i might have a lead on this, the grant permission was not set to require mfa. Would that have caused it?<\/p>","upvoteCount":0,"datePublished":"2024-11-15T17:44:20.812Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/6","author":{"@type":"Person","name":"TerryFF","url":"https://community.spiceworks.com/u/TerryFF"}},{"@type":"Answer","text":"

Something to consider - sometimes MS authenticator likes to prompt for MFA as well. The observed behavior of this is the user tries to sign in to O365, is required to authenticate MFA, opens MS Authenticator, and is then asked to authenticate to…authenticator. When this happens, you’ll see the two digit code in the authenticator app for like a second, and then get asked to enter the code. This is often confusing since if you don’t see the code on the mobile device you would assume it is asking for your original login code from O365. Alternatively, I would recommend reviewing (and possibly posting if necessary) the failed login attempt details from Entra, you can also see if your conditional access is being applied / satisfied for the login attempt.<\/p>","upvoteCount":2,"datePublished":"2024-11-16T01:10:05.864Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/7","author":{"@type":"Person","name":"Tyler-Douglas","url":"https://community.spiceworks.com/u/Tyler-Douglas"}},{"@type":"Answer","text":"

Go to the Azure portal, navigate to Azure Active Directory > Sign-ins, and check the sign-in logs for the affected users. Look for any failed sign-in attempts and the corresponding failure reasons.<\/p>","upvoteCount":2,"datePublished":"2024-11-18T06:49:59.659Z","url":"https://community.spiceworks.com/t/mfa-not-working-on-some-users-phones-for-365/1142615/8","author":{"@type":"Person","name":"Brucejyc","url":"https://community.spiceworks.com/u/Brucejyc"}}]}}