Hi Yves,
Thanks for reaching out to Microsoft Q&A.
The situation you're facing with MFA in China could stem from a few common issues specific to the region, particularly due to restrictions and network configurations that might differ from those in Belgium or other regions.
Here are some strategies to help troubleshoot and resolve the issue:
- Network Restrictions and VPNs
- Issue: China’s internet restrictions could be impacting the availability and connectivity of Microsoft services required for authentication.
- Solution: Suggest that users try connecting through a VPN that’s configured for international access. However, be mindful that VPNs can have legal restrictions in China. Using a company-approved VPN solution might help maintain a stable connection to Microsoft’s authentication servers.
- Microsoft Authenticator Timeout
- Issue: If there is a timeout when connecting to Microsoft services, this could be due to intermittent internet access or latency.
- Solution: Encourage users to try the authentication process at different times of day, as traffic and connectivity fluctuations can sometimes resolve issues. Additionally, try completing the setup on different networks (ex: mobile data vs. Wi-Fi) if possible.
- Alternative Authentication Methods
- Issue: Some authenticator options, like Google Authenticator, may be restricted in China, impacting your ability to use alternative MFA methods.
- Solution: Explore the use of SMS-based or phone call-based MFA as a backup, if Microsoft Authenticator cannot reliably function. Phone-based MFA options are often more resilient in regions with strict internet controls, as they only require SMS or voice call capabilities rather than internet connectivity.
- Resetting MFA with Support from Microsoft
- Issue: If the MFA app repeatedly indicates that it’s “already scanned,” it may require backend intervention.
- Solution: Submit a request to Microsoft support to check if there is an issue with residual cached sessions or configuration issues for MFA setup in the Azure portal for affected users. Sometimes backend refreshes can clear such configurations.
- Browser and Device Locale/Region Settings
- Issue: Locale differences between China and Belgium might affect the experience. Cached sessions and region-based configurations can sometimes disrupt the authentication flow.
- Solution: Have the user’s device and browser set to the English (United States) locale or match the locale to that of your APAC settings in AAD if applicable. Additionally, clearing caches and resetting browser locale settings to default or English might be beneficial.
- Enable Specific Conditional Access Policies for APAC
- Issue: Conditional Access policies might need to be adjusted to accommodate users in restricted internet environments.
- Solution: Consider configuring region-based Conditional Access policies in Azure AD for users in China, allowing them to use alternative MFA methods temporarily or loosen restrictions if necessary.
- Diagnostics with Microsoft Support
- If all the above solutions do not work, Microsoft Support can run diagnostics on AAD MFA service availability and logs specifically for the region in question, which could uncover network-specific issues or restrictions affecting Azure MFA setup and authentication.
These solutions should cover both network-related restrictions and regional compatibility issues with MFA for your colleagues in China.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.