Invalid Username and password error when I enable per-user MFA for local accounts

Ayat Idris 1 Reputation point
2020-03-22T06:03:26.297+00:00

I enabled MFA on my local account and I followed this documentation , then I tried to login with my local account but I am getting invalid username and password.

5351-invalidusernameandpw.png

but in the sign-in activity is logging that the failure reason is User needs to enroll for second factor authentication.

5352-error.png

do I need to add Conditional Access Policy to enable MFA for local accounts?

1: +https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates3: /api/attachments/5311-error.png2:?platform=QnA /answers/storage/attachments/5331-invalidusernameandpw.png

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,701 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,063 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. soumi-MSFT 11,756 Reputation points Microsoft Employee
    2020-03-23T09:29:44.747+00:00

    @Ayatldris-1935, I was neither able to open the document you shared above nor I was able to open the screenshots you shared. But based on the information provided, I would like to state that when you say enable MFA on a user, you either enable the MFA using the option as show in the screenshot:
    5451-mfaoption.png

    Or, you enable it using Conditional Access Policy.

    Now, once you enable to MFA for the first time, and then you try to login, once the 1st factor auth is done i.e entering the username and password, then Azure takes you to the url https://aka.ms/mfasetup and asks the user to perform the proofup, where the user enters his/her preferred MFA methods [based on what options the Admin has provided]. Once done henceforth the user gets the MFA options while logging in.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


  2. soumi-MSFT 11,756 Reputation points Microsoft Employee
    2020-03-24T14:57:10.793+00:00

    @Ayat Idris , Thank you for sharing the details. From the screenshot i can see that you are using B2C tenant and this is not same as your regular Azure AD. In B2C tenant, usually an app that is to be used by general public are published, These app are for the entire world to access and are different from Organization apps. Due to this, in B2C tenant, we allow users who have their identities with various other Identity providers like Google, Amazon, Linked, facebook, Twitter etc to use those accounts and login/signup in your app published in B2C tenant.

    So enabling the MFA for the B2C tenant would be little different from that of the normal Azure AD tenant. Here you just need to enable the MFA from the User Flow, as you mentioned in the second screenshot of yours and the step you performed in the first screenshot can be ignored.

    i just tested enabling of MFA in my B2C tenant and while signing up using my gmail account, i was asked to enter my phone number and then I got the MFA call from Microsoft. You can refer to the URL mentioned below to enable MFA for your B2C tenant [which i believe you ahve already done], but just have a look once just to make sure all the points here are met in your deployment.
    https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-multi-factor-authentication

    If the issue still persists, please do drop me an email to azcommunity[at]microsoft[dot]com with the following details:

    • Tenant Name/ID
    • Subscription ID:
    • Preferred time with timezone to setup a Teams meeting

    Do let us know these details and do not forget to add the reference of this thread so that its easier for me to identify and get back to you sooner.

    Also, do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.