MS MFA Authenticator issues China

Yves 10 Reputation points
2024-10-25T08:23:23.43+00:00

Hello everyone,

I'm hoping someone can help with the following issue as I'm running out of ideas.

For our APAC Region - specifically China - the MFA authenticator is being enforced.

The problem we're having is that the QR codes that the employees need to scan, always comes back as "already scanned".

  • Resetting the MFA through the portal
  • Require re-register
  • Cleaning browser cache
  • Cleaning phone cache

All these things won't help getting a new QR code for our colleagues to continue.

If i try one of the user's account on my Belgium PC, i am able to scan the QR code. The account gets added to my MS MFA Authenticator app but i still can't click next.

The MS website keeps getting a time out. I have screencaptured this to share in PM if need be. It basiscly says a time-out was encountered and to try again. But the same error keeps returning.

When i check in the portal the authenticator is added but when i try to login it isn't and it enforces me again to readd the authenticator. The QR code works again but the time-out error also returns.

Here in Belgium we're able to change to an alternative like Google Authenticator for our MS account but it seems that this is being blocked in China.

Any advice is welcome to help your Asian colleagues back on the road.

I hope you all have a nice day!

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,138 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Vinodh247 23,346 Reputation points MVP
    2024-10-27T13:46:59.4366667+00:00

    Hi Yves,

    Thanks for reaching out to Microsoft Q&A.

    The situation you're facing with MFA in China could stem from a few common issues specific to the region, particularly due to restrictions and network configurations that might differ from those in Belgium or other regions.

    Here are some strategies to help troubleshoot and resolve the issue:

    1. Network Restrictions and VPNs
    • Issue: China’s internet restrictions could be impacting the availability and connectivity of Microsoft services required for authentication.
    • Solution: Suggest that users try connecting through a VPN that’s configured for international access. However, be mindful that VPNs can have legal restrictions in China. Using a company-approved VPN solution might help maintain a stable connection to Microsoft’s authentication servers.
    1. Microsoft Authenticator Timeout
    • Issue: If there is a timeout when connecting to Microsoft services, this could be due to intermittent internet access or latency.
    • Solution: Encourage users to try the authentication process at different times of day, as traffic and connectivity fluctuations can sometimes resolve issues. Additionally, try completing the setup on different networks (ex: mobile data vs. Wi-Fi) if possible.
    1. Alternative Authentication Methods
    • Issue: Some authenticator options, like Google Authenticator, may be restricted in China, impacting your ability to use alternative MFA methods.
    • Solution: Explore the use of SMS-based or phone call-based MFA as a backup, if Microsoft Authenticator cannot reliably function. Phone-based MFA options are often more resilient in regions with strict internet controls, as they only require SMS or voice call capabilities rather than internet connectivity.
    1. Resetting MFA with Support from Microsoft
    • Issue: If the MFA app repeatedly indicates that it’s “already scanned,” it may require backend intervention.
    • Solution: Submit a request to Microsoft support to check if there is an issue with residual cached sessions or configuration issues for MFA setup in the Azure portal for affected users. Sometimes backend refreshes can clear such configurations.
    1. Browser and Device Locale/Region Settings
    • Issue: Locale differences between China and Belgium might affect the experience. Cached sessions and region-based configurations can sometimes disrupt the authentication flow.
    • Solution: Have the user’s device and browser set to the English (United States) locale or match the locale to that of your APAC settings in AAD if applicable. Additionally, clearing caches and resetting browser locale settings to default or English might be beneficial.
    1. Enable Specific Conditional Access Policies for APAC
    • Issue: Conditional Access policies might need to be adjusted to accommodate users in restricted internet environments.
    • Solution: Consider configuring region-based Conditional Access policies in Azure AD for users in China, allowing them to use alternative MFA methods temporarily or loosen restrictions if necessary.
    1. Diagnostics with Microsoft Support
    • If all the above solutions do not work, Microsoft Support can run diagnostics on AAD MFA service availability and logs specifically for the region in question, which could uncover network-specific issues or restrictions affecting Azure MFA setup and authentication.

    These solutions should cover both network-related restrictions and regional compatibility issues with MFA for your colleagues in China.

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.