25,145 questions
Ok, I managed to solve this.
Even though the phone number was deleted, it was still showing Phone as an identity issuer. I added a dummy phone number and deleted it again, and now it's OK.
Multiple identity providers/issuers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 78%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Jpan
106
Reputation points
Hi,
I wanted to turn on MFA for a user, but saw that under the "Identity issuer" it says "Multiple", as opposed to our tenant name (which all of the other users have).
I tried going to authentication methods and deleting everything there, but the issue still persists. The second identity issuer is "phone"
I was able to turn on MFA for all users, except for this one.
What can I do, to make our tenant the only issuer/provider of the identity?
Thanks
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
SAGOHIL-MSFT 456 Reputation points Microsoft Employee2021-01-04T13:32:04.373+00:00 Hi @Jpan Thank you for reaching out to us.
I have reviewed the ask and I understand that you see "Identity issuer" as "multiple" for a user.
To proceed further, I will need below information from your end.
- Is this a b2c tenant?
- Are you using custom policy where in we are using any phone number to sign-up/ sign in? if yes, clearing the MFA details will not remove the secondary identity issuer which is phone.
If you need single identity issuer, you need to make sure that only local account signup is configured in B2C tenant.
If you are using Phone sign up/ sign in, make sure that it is configured per the below article:
Ref.: https://learn.microsoft.com/en-us/azure/active-directory-b2c/phone-authenticationIf you have any further queries we can take it up over the call, please email us at AzCommuntity[at]Microsoft[dot]Com, we will be more than glad to assist you further.
-Sagar
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 76%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Monique Sehlahlole 0 Reputation points2023-03-22T14:23:08.53+00:00 Hi I really need help, how do I change the Issuer to read ExternalAzureAD
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 22%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDN%3C/text%3E%3C/svg%3E)
Dave Nilson 0 Reputation points2023-08-25T16:41:52.6533333+00:00 You must uncheck "Use for sign-in" in the SMS Authenticaion Policy settings in Azure AD.
Sign in to comment
Accepted answer
-
Jpan 106 Reputation points
2021-01-05T10:36:49.783+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 62%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jon Mills 6 Reputation points2021-11-04T14:27:13.477+00:00 Sorry man, I got the same problem. Where did you add the dummy number? To the user's profile?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 79%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGW%3C/text%3E%3C/svg%3E)
Gene Warren 6 Reputation points2022-12-27T16:11:28.647+00:00 Did you ever get this resolved?
Thanks!
Sign in to comment -
3 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
soumi-MSFT 11,831 Reputation points Microsoft Employee Moderator2021-01-04T13:13:08.48+00:00 Hello @Jpan , thank you for reaching out. Identity Issuer with a value of Multiple states that the user has multiple issuers. You can get the details of the issuers (Identity Issuer) as well as a few other information like Sign-In Type and the Issuer Assigned ID once you click on that "Multiple" hyperlink under the Identity Issuer column.
For the screenshot above you would find the user is a guest user and originally belong to Gmail. In such cases like if the user belongs to some other AAD Tenant or to some other IDP all total (Guest Users/B2B users), you cannot enable Azure MFA by choosing the per-user MFA option found on top of the AAD-Users portal.
For Guest users/B2B Users, you can enable MFA using Conditional Access Policy. You can refer to the following link to enable Conditional Access Policy for GuestUsers/B2B Users: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-tutorial-require-mfa#:~:text=On%20the%20Cloud%20apps%20page%2C%20select%20Done.,Under%20Enable%20policy%2C%20select%20On.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.
-
Jpan 106 Reputation points
2021-01-04T15:31:26.317+00:00 Hi,
I clicked on the "Multiple" and saw that the Phone is set as an Identity Issuer (type federated).
I'm trying to remove this option, but I can't seem to find a way to do so. How can I remove the phone as an identity issuer?The account that is created has our domain and everything, it's not an "outside" account.
-
soumi-MSFT 11,831 Reputation points Microsoft Employee Moderator
2021-01-04T20:41:31.707+00:00 Hello @Jpan , can you please send us a screenshot of the same. That would help us in getting a better picture. Just send us the screenshot of the user profile and also the details that come up once you click on the "Multiple" hyperlink under the Identity Issuer section.
-
Jpan 106 Reputation points
2021-01-05T10:32:46.1+00:00 Hi, this is the screenshot when I check for this user.
I also went to "Authentication methods" for this user, and deleted their phone number, but it didn't change anything.
-
Gene Warren 6 Reputation points
2022-12-27T16:10:16.013+00:00 I have this exact same issue. Were you able to get this resolved? I opened a ticket with Microsoft over a year ago and they have strung me along without resolving for OVER A YEAR! I get monthly updates telling me they are "working on it".
Wishing and hoping you were able to get this resolved.
Thanks!
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 82%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Christopher Bishop 0 Reputation points2023-05-22T11:10:25.45+00:00 Hi
I fixed this issue by going to the authentication methods for the user and clicking the "Disable SMS Sign-in" and took a few minutes but reverted the user back to the Tenant identity (removing the phone federation).
I am not not but it might be related the the MFA authentication methods that are configured
Therefore I am disabling this option for now, as we require password authentication