question

Jpan-4459 avatar image
0 Votes"
Jpan-4459 asked JonMills-4266 commented

Multiple identity providers/issuers

Hi,

I wanted to turn on MFA for a user, but saw that under the "Identity issuer" it says "Multiple", as opposed to our tenant name (which all of the other users have).
I tried going to authentication methods and deleting everything there, but the issue still persists. The second identity issuer is "phone"
I was able to turn on MFA for all users, except for this one.

What can I do, to make our tenant the only issuer/provider of the identity?

Thanks

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Jpan-4459 Thank you for reaching out to us.

I have reviewed the ask and I understand that you see "Identity issuer" as "multiple" for a user.

To proceed further, I will need below information from your end.

  1. Is this a b2c tenant?


  2. Are you using custom policy where in we are using any phone number to sign-up/ sign in? if yes, clearing the MFA details will not remove the secondary identity issuer which is phone.

If you need single identity issuer, you need to make sure that only local account signup is configured in B2C tenant.

If you are using Phone sign up/ sign in, make sure that it is configured per the below article:
Ref.: https://docs.microsoft.com/en-us/azure/active-directory-b2c/phone-authentication

If you have any further queries we can take it up over the call, please email us at AzCommuntity[at]Microsoft[dot]Com, we will be more than glad to assist you further.

-Sagar

0 Votes 0 ·
Jpan-4459 avatar image
0 Votes"
Jpan-4459 answered JonMills-4266 commented

Ok, I managed to solve this.
Even though the phone number was deleted, it was still showing Phone as an identity issuer. I added a dummy phone number and deleted it again, and now it's OK.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry man, I got the same problem. Where did you add the dummy number? To the user's profile?

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered

Hello @Jpan-4459, thank you for reaching out. Identity Issuer with a value of Multiple states that the user has multiple issuers. You can get the details of the issuers (Identity Issuer) as well as a few other information like Sign-In Type and the Issuer Assigned ID once you click on that "Multiple" hyperlink under the Identity Issuer column.

53331-multipleissuer.png

For the screenshot above you would find the user is a guest user and originally belong to Gmail. In such cases like if the user belongs to some other AAD Tenant or to some other IDP all total (Guest Users/B2B users), you cannot enable Azure MFA by choosing the per-user MFA option found on top of the AAD-Users portal.
53197-mfa-peruser.png

For Guest users/B2B Users, you can enable MFA using Conditional Access Policy. You can refer to the following link to enable Conditional Access Policy for GuestUsers/B2B Users: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-tutorial-require-mfa#:~:text=On%20the%20Cloud%20apps%20page%2C%20select%20Done.,Under%20Enable%20policy%2C%20select%20On.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.







multipleissuer.png (8.3 KiB)
mfa-peruser.png (27.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jpan-4459 avatar image
0 Votes"
Jpan-4459 answered Jpan-4459 commented

Hi,

I clicked on the "Multiple" and saw that the Phone is set as an Identity Issuer (type federated).
I'm trying to remove this option, but I can't seem to find a way to do so. How can I remove the phone as an identity issuer?

The account that is created has our domain and everything, it's not an "outside" account.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Jpan-4459, can you please send us a screenshot of the same. That would help us in getting a better picture. Just send us the screenshot of the user profile and also the details that come up once you click on the "Multiple" hyperlink under the Identity Issuer section.

0 Votes 0 ·

Hi, this is the screenshot when I check for this user.
I also went to "Authentication methods" for this user, and deleted their phone number, but it didn't change anything.

53527-2021-01-05-11-29-58.png


0 Votes 0 ·