Share via

Infinite Loop of Authentication when choosing required strength Passwordless MFA

rui yi gan 15 Reputation points
2024-05-30T03:24:26.45+00:00

Hi all, I am currently trying to set up a Passwordless MFA sign in using the Microsoft Authenticator. I have a conditional policy with grant access as Require authentication strength set as Passwordless MFA.

I have an external react SPA application using msal-react to handle the login, registered with my tenant.

When I create an internal account in my tenant and try to login to my React application, I keep getting this infinite loop.

After keying in the password I got:

Screenshot 2024-05-30 at 11.21.12 AM

And clicking next goes to
Screenshot 2024-05-30 at 11.21.40 AM

Here I was expecting the set up for Microsoft Authenticator (which I did receive if I use the Require MFA option instead of the Require authentication strength but I don't want that as I want to force my user to use the Authenticator Passwordless sign in)

If I click mysecurityinfo and login I get

Screenshot 2024-05-30 at 11.23.01 AM

And the infinite cycles begin

Please advice!!!!!

Some more configuration:
Registration Campaign is disabled and security defaults are also disabled.

Microsoft Security Microsoft Authenticator

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Niclas Schwarz 0 Reputation points
    2025-05-07T13:14:34.68+00:00

    We also have the same problem. I tested various combinations and could identify that passwordless MFA is only working when the affected users are already enabled to use passwordless sign in.

    This means they configured their MS Authenticator with this option:Passwordless Mode fails on my Microsoft Authenticator : HP Authentication Suite - Support

    When I applied the policy to a user that already had a functioning MS Authenticator connection but WITHOUT passwordless authentication enabled in MS Authenticator, the user gets stuck in the loop.

    But when the user already enabled passwordless authentication in MS Authenticator, he could pass the authentication and login without getting stuck.

    Although I also would have expected otherwise, Microsoft does not seem to cover migrating users who are not in passwordless mode yet to the passwordless state by a nice prompt during the auth flow when choosing passwordless MFA. Instead, the policy just requires all affected users to be passwordless already - otherwise they will get stuck in the loop.

    Have you ever figured out how to cope with this issue? The insights I gained are practically making it impossible for us to use passwordless MFA since new users who need to setup their MS authenticator app for the first time during onboarding are not passwordless and would therefore always end up in the loop.

    0 comments
  2. areels 0 Reputation points
    2025-05-21T06:14:58.62+00:00

    Hello

    I think microsoft is trying to solve this issue by excluding the signup process only from the conditional access.

    If you go to edit your conditional access policy you will see this;

    Target resources > Select what this policy applies to > "Authentication context"

    so somehow we have to find a way to exclude this authenticaiton context from the rest of the conditional access policy but there is no clear guide explaining how that should work,

    can you figure that out?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.