Share via

MFA not working after legacy migration

Cyril_934 0 Reputation points
2024-01-19T09:49:58.13+00:00

Hello, We have seen a few months ago the required migration from legacy multifactor authentication to authentication methods policy menu to configure Multiple Factor Authentication. We are using Microsoft Authenticator or OATH third party application. I have configured everything that seems required in the authentication methods policy menu, but when I configured the migration as completed, a few users (not everyone just some people) were not able to login to their microsoft account (Outlook, ...) When trying to login, they received a message "organization needs more information to keep your account secure" and ended up in a loop where they can't login. To make it work again for those people, I had to rollback the migration. Could you help me please ? Thanks a lot, Cyril

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,148 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 3,265 Reputation points Microsoft Employee
    2024-01-19T12:55:51.7466667+00:00

    Hello Cyril Here are some potential solutions based on the information you have provided:

    1. Review the Legacy MFA and SSPR Policies: Before starting the migration, it’s recommended to do an audit of your existing policy settings for each authentication method that’s available for users. This includes documenting which methods are available in the legacy MFA policy and the legacy SSPR policy.
    2. Manage Security Defaults: Some users have reported that they were able to resolve similar issues by managing the security defaults in Azure Active Directory. You can try setting “Enable security defaults” to “No” in Azure Active Directory > Properties.
    3. Clear Browser Cache or Try a Different Browser: The issue might be browser-related. Encourage the affected users to clear their browser cache or try logging in using a different browser. Also try in Incognito mode, as mentioned by Carlos above.
    4. Check Conditional Access Policies: The issue might be related to Conditional Access Policies. Check if the “End user protection Check if the “End user protection” baseline is enabled” baseline is enabled.
    5. Enable Self-Service Password Reset (SSPR): Enabling SSPR and turning on Multi-Factor Authentication (MFA) might help resolve the issue.

    The exact solution may vary depending on your organization's specific configuration and policies.

    0 comments