MFA Migration from 365 Admin Center to Entra ID Locks Admin out of Admin Portals

LM-5132 60 Reputation points
2024-08-21T14:20:14.2733333+00:00

Hello,

We recently migrated MFA from the Legacy Microsoft 365 Admin Center to Entra ID Conditional Access Policies. Migration in progress has been active for two weeks with no issues.

 

However, after switching to "migration complete," we encountered an issue with (Admin-1) who couldn't access any admin portals or SharePoint. When Admin-1 logged into the admin portal, instead of being directed to the Microsoft Authenticator App, he was redirected to a prompt to create an app password. After creating the app password and attempting to log in, he was again redirected to create an app password, creating an endless loop. He is never directed to the authenticator app and is not able to authenticate to gain access to the admin portals.

 

Admin-1 also encountered the same issue when using the "Break Glass" emergency account, which is excluded from MFA in the 365 Admin Center Legacy policy. I am not sure how this is possible since this is a different username and password.

 

Our 365 Admin Center MFA Legacy Policy Configurations are as follows:

  • MFA = All Users
  • Emergency access account = MFA Disabled
  • -Allow users to create app passwords to sign in to non-browser apps = yes

 

Methods available to users:

  • Text Message to phone = yes
  • Notification through Mobile app = yes
  • Verification code from Mobile app or hardware token = yes
  • Remember MFA on a trusted device = No

 

Entra ID Admin Center Configurations:

  • Microsoft-managed conditional access policy, MFA for admins with no exclusions = On

(Admin-1 and the Emergency account are INCLUDED because it is Microsoft-managed)

  •  Conditional Access Policy for all users = On
  • (Admin-1 and the Emergency account are excluded from this policy)

 

Authentication Methods

Microsoft Authenticator         (All users, excluding 1 group)

  • SMS                                         (All users, excluding 1 group)
  • Excluded group =                    (Admin-1 and Emergency Access Account)

 

SSPR = On (Self-Service Password Reset)

Mobile app notification

Mobile app code

Email

Mobile Phone

NOTE: We will most likely be removing Email as an option

 

To resolve the issue, I, as a remote security administrator, used the emergency account credentials provided by Admin-1 to log into the admin portals successfully. I reverted the manage migration from "complete" back to "in progress," and now Admin-1 has access to everything without being prompted to create an App Password.

Please help us determine the root cause of the issue so we may complete the migration process.

Here is some additional information.

Based on the information you provided we have identified following issue and recommend taking the action to resolve the issue.

Error Code: 50072

Message: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ''.

Action: The user was presented options to provide contact options so that they can do MFA.

                                                                        

|AADSTS50072|UserStrongAuthEnrollmentRequiredInterrupt

  • User needs to enroll for second factor authentication (interactive).
    AADSTS50072 UserStrongAuthEnrollmentRequiredInterrupt - User needs to enroll for second factor authentication (interactive).

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,292 questions
{count} votes

Accepted answer
  1. Raja Pothuraju 4,935 Reputation points Microsoft Vendor
    2024-08-23T17:46:45.3433333+00:00

    Hello @LM-5132,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you recently migrated authentication methods from Legacy Verification Options to Modern Authentication Methods.

    During the migration, when the "Manage Migration" state was set to "In Progress," all users and administrators were able to log into the admin portals without any issues. However, after you changed the migration state to "Completed," both the admin-1 account and the emergency break glass account started experiencing login issues.

    Thank you for providing additional details about the verification options and Modern Authentication Method policies.

    Based on the configuration settings in place at the time you completed the migration, it seems that the authentication methods were not properly migrated from Legacy to Modern, which is likely why the admin-1 and emergency break glass accounts faced these login issues. Please refer to the following document for guidance on properly migrating authentication methods from Legacy to Modern:

    How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID

    When transitioning to the "Completed" state, you must ensure that all legacy verification options are unchecked on the Per-User MFA Service settings page, as well as any SSPR (Self-Service Password Reset) authentication methods. After completing these steps, confirm that under Modern Authentication Methods, the Microsoft Authenticator method is enabled for all users without any exclusions. Additionally, enable any other methods your organization plans to use (such as SMS, Phone call, FIDO, or OAuth hardware token). Please refer to the screenshots below for further details.

    Uncheck legacy verification options

    User's image

    Uncheck SSPR Authentication methods

    User's image

    Note: If your tenant is using security questions for SSPR authentication methods, do not uncheck that option.

    Once these steps are completed, ensure that Modern Authentication Methods are enabled in your tenant. If any user is excluded here, they will not be able to use that authentication method to register or complete the 2FA.

    User's image

    Then, you can safely change the migration status to "Completed."

    Cause of the Issue: The admin-1 and emergency break glass accounts were likely excluded from Modern Authentication Methods, which prevented them from completing the 2FA process. Once you reverted the migration state back to "In Progress," the admin-1 account was able to log in successfully.

    If you'd like to discuss this configuration more in-depth, I'm happy to connect offline for a remote session to further explain the cause. You can feel free to send me an email at AzCommunity@microsoft.com referencing this issue with a subject line "ATTN:pothurajur" include a link to the current thread.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Thanks,

    Raja Pothuraju.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.