Share via

Microsoft Authenticator required while enrolling corporate iOS device [loophole]

PBMc 76 Reputation points
2023-09-27T19:43:45.3133333+00:00

Hi,

Recently Microsoft has been enforcing users to have Authenticator set up so they can log in for the first time.

It would be fine if the device we need to set up first wasn't the corporate phone and it goes through the Intune enrollment process.

I'd like to know from you, if there is a workaround or a different approach to this process.

When we start to set up the iOS phone, it starts the Intune process to sign in the user, it's a brand new AAD user with no Authentication methods set up yet.

The loop starts now, because it asks to set up the Authenticator App, but I'm trying to set up the phone for it.

So, what I have to do is, set it up on my device first, finish the enrollment, the Apps and policies are applied fine.

We go to Entra > Users > Authentication methods > delete my phone from the Usable authentication methods

Log into office.com with their credentials, set Authenticator up on the right phone.

This started to happen recently, before we could just bypass this with an SMS code.

Is there a way to bypass it now that Authenticator is required to log into the account for the first time?

Maybe a temporary pass?

Let me know if I'm missing any information or a set up somewhere.

Thank you.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
8,396 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fiona Matu 91 Reputation points Microsoft Employee
    2024-02-19T18:02:22.9366667+00:00

    Hi @PBMc ,

    the temporary bypass I am familiar with is the One-time bypass feature that can be set on the Azure portal. The one-time bypass feature allows a user to authenticate a single time without performing multi-factor authentication. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.

    To create a one-time bypass, follow these steps:

    1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.
    2. Browse to Protection > Multifactor authentication > One-time bypass.
    3. Select Add.
    4. If necessary, select the replication group for the bypass.
    5. Enter the username as ******@domain.com. Enter the number of seconds that the bypass should last and the reason for the bypass.
    6. Select Add. The time limit goes into effect immediately. The user needs to sign in before the one-time bypass expires.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.