question

AyatIdris-1935 avatar image
0 Votes"
AyatIdris-1935 asked HouseofGiantsLLC-8770 commented

Invalid Username and password error when I enable per-user MFA for local accounts

I enabled MFA on my local account and I followed this documentation , then I tried to login with my local account but I am getting invalid username and password.

5351-invalidusernameandpw.png

but in the sign-in activity is logging that the failure reason is User needs to enroll for second factor authentication.

5352-error.png

do I need to add Conditional Access Policy to enable MFA for local accounts?



azure-active-directoryazure-ad-b2c
error.png (97.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered AyatIdris-1935 commented

@Ayatldris-1935, I was neither able to open the document you shared above nor I was able to open the screenshots you shared. But based on the information provided, I would like to state that when you say enable MFA on a user, you either enable the MFA using the option as show in the screenshot:
5451-mfaoption.png

Or, you enable it using Conditional Access Policy.

Now, once you enable to MFA for the first time, and then you try to login, once the 1st factor auth is done i.e entering the username and password, then Azure takes you to the url https://aka.ms/mfasetup and asks the user to perform the proofup, where the user enters his/her preferred MFA methods [based on what options the Admin has provided]. Once done henceforth the user gets the MFA options while logging in.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.





mfaoption.png (24.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT

Thanks for explaining to me how the MFA works

I am wondering why the user is not being redirected to set up the second factor auth when I enable MFA for the first time, Although I enabled MFA in sign-in user flow

0 Votes 0 ·

@Ayatldris-1935, When you say that you have enabled the MFA using the sign-in user flow, are you using the sign-in policy in the B2C tenant? Can you send me the screenshots of where you have enabled the MFA, so that its easier for me to understand

0 Votes 0 ·

@soumi-MSFT

I enabled MFA on the user level from here :

5752-mfa-users.png

and also enabled MFA in sign in user flow as shown in the screenshot below

5761-userflow.png

I hope this help :)



0 Votes 0 ·
mfa-users.png (24.5 KiB)
userflow.png (54.5 KiB)
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered HouseofGiantsLLC-8770 commented

@AyatIdris-1935, Thank you for sharing the details. From the screenshot i can see that you are using B2C tenant and this is not same as your regular Azure AD. In B2C tenant, usually an app that is to be used by general public are published, These app are for the entire world to access and are different from Organization apps. Due to this, in B2C tenant, we allow users who have their identities with various other Identity providers like Google, Amazon, Linked, facebook, Twitter etc to use those accounts and login/signup in your app published in B2C tenant.

So enabling the MFA for the B2C tenant would be little different from that of the normal Azure AD tenant. Here you just need to enable the MFA from the User Flow, as you mentioned in the second screenshot of yours and the step you performed in the first screenshot can be ignored.

i just tested enabling of MFA in my B2C tenant and while signing up using my gmail account, i was asked to enter my phone number and then I got the MFA call from Microsoft. You can refer to the URL mentioned below to enable MFA for your B2C tenant [which i believe you ahve already done], but just have a look once just to make sure all the points here are met in your deployment.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-multi-factor-authentication

If the issue still persists, please do drop me an email to azcommunity[at]microsoft[dot]com with the following details:

  • Tenant Name/ID

  • Subscription ID:

  • Preferred time with timezone to setup a Teams meeting


Do let us know these details and do not forget to add the reference of this thread so that its easier for me to identify and get back to you sooner.

Also, do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Ayatldris-1935, I wanted to follow up with you to check if the above response helped you in answering your query. If it did, please do accept the response as Answer so that it helps others facing similar issues in the community.

0 Votes 0 ·

Hi @soumi-MSFT - I followed the above instructions to setup MFA for my B2C tenant. However, I'd like to have the setting for remember multi-factor authentication on trusted device enabled on my B2C MFA. Is this possible? Or is the remember multi-factor authentication on trusted device only available within AD, not B2C?

0 Votes 0 ·