User is being prompted for his previous MFA method by one single app (Azure Portal)

Mike Gaum 20 Reputation points
2024-03-08T02:40:11.2066667+00:00

One of our users recently got a new phone (previous one broke).

From Entra, we did "Require re-register multifactor authentication" so he could reconfigure MFA with his new phone.

He was using OTP with Microsoft Authenticator (previous phone) and is now using Notifications with Microsoft Authenticator (new phone).

MFA is working as intended everywhere except one app : Azure Portal (portal.azure.com).

For some reason, when he tries to connect to that website, it's asking for his previous MFA method (which doesn't exist anymore under his profile).

Looking at his Sign-in logs, there's a strange behaviour where the User field is either his UserID or in the form of "UserPrincipalName LastName" instead of "FirstName LastName" when the Status field is Failure or Interrupted.

We tried both in an Incognito window and a second browser.

My question is why this app and only this app? I looked it up in our Enterprise Apps and there's nothing particular about it's configuration.

EDIT : No Conditional Access policy is affecting this.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 27,486 Reputation points Microsoft Employee
    2024-03-08T03:45:23.7233333+00:00

    @Mike Gaum Thank you for the detailed description of the issue, would recommend to check this page - https://mysignins.microsoft.com/security-info for the end user and see if he has the old mfa device still registered or not, if its there delete it.

    Also, try to delete the cookies and try to access the portal and check.

    If these steps doesn't help, we can connect offline to troubleshoot further on this.