Issues with Authentication Methods Migration

Ben Gettis 0 Reputation points
2023-04-11T21:10:12.8233333+00:00

We recently attempted to migrate our MFA and SSPR policy settings to the Authentication methods policy for Azure AD as described below. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-methods-manage After the migration, users were able to log in. However, we did notice that our Global Administrators (which are unlicensed) could not login. The methods that are enabled are Microsoft Authenticator, Third-party software OAUTH tokens, and Email OTP. The global administrators are using a 3rd party OATH solution and have Email OTP setup for SSPR. User's image

After marking the migration as complete, the following started happening to our Global Administrator accounts. When logging in, we would enter in username and password. After this, it would bring us to the More Information Required page. We would click Next which would bring us to the mysignins.microsoft.com page where it asks to confirm your authentication methods. It showed both Authenticator and Email OTP as configured, said everything was setup correctly and we clicked Next. This would bring us back to the page saying More Information Required page and it kept looping. After researching, I did stumble across the below article. It appears there was possibly a bug at one point that prevented Global Administrators from signing in if they didn't have a phone-based authentication method setup. This appears to only have been an issue if security defaults were enabled which is not the case for us. Can it be confirmed if the reason for my issues was because I don't have a phone-based authentication method for the global administrators or if it is something else? I don't want to risk trying this again and go through the huge headache of getting back into our account unless I am pretty sure it is going to work. https://learn.microsoft.com/en-us/answers/questions/950942/guests-with-global-admin-can-not-login-to-azure-po

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 30,931 Reputation points Microsoft Employee
    2023-04-17T06:31:05.6266667+00:00

    @Ben Gettis Thank you for reaching out to us and providing the detailed description of the issue, to understand what went wrong for Global Administrators access in your tenant, just wanted to check if you have got a chance to review sign in/audit logs at the time of issue.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-in-diagnostics-scenarios

    If required we can connect offline to discuss further on this, you can email me on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" along with your Azure subscription id.