One of our users recently got a new phone (previous one broke).
From Entra, we did "Require re-register multifactor authentication" so he could reconfigure MFA with his new phone.
He was using OTP with Microsoft Authenticator (previous phone) and is now using Notifications with Microsoft Authenticator (new phone).
MFA is working as intended everywhere except one app : Azure Portal (portal.azure.com).
For some reason, when he tries to connect to that website, it's asking for his previous MFA method (which doesn't exist anymore under his profile).
Looking at his Sign-in logs, there's a strange behaviour where the User field is either his UserID or in the form of "UserPrincipalName LastName" instead of "FirstName LastName" when the Status field is Failure or Interrupted.
We tried both in an Incognito window and a second browser.
My question is why this app and only this app? I looked it up in our Enterprise Apps and there's nothing particular about it's configuration.
EDIT : No Conditional Access policy is affecting this.