Microsoft Authenticator on Android "Failed to register for receiving push notifications"

Question

I've been stuck here for months. I've googled and not found anyone else with the same exact problem.

I am the Azure and domain administrator for my company. We're on Microsoft 365 E3.

I've been unable to get Passwordless authentication working with push notifications for myself or my employees.

We can successfully use Android Microsoft Authenticator for one-time codes. Push notifications DO come through on Android in this mode.

Push notifications DO NOT come through, and registration for push notifications fails, when enabling Passwordless.

Plus, the enrollment into Passwordless is very challenging for users. If I want to register my Microsoft Authenticator for passwordless auth, I have to time things so the one-time code rolls over giving me 30 seconds, then write down the new one-time password code, log in with email and password and use the OTP to get through the process. This is very challenging to guide my employees through.

Once enabled in this way, the Authenticator no longer receives push notifications during log ins.

Users have to log into their web app, and when prompted with the three 2-digit codes, unlock their phone, open the Authenticator app on their phone, tap into the right Work account, then pull-down to refresh. Only then are the codes shown.

On Android, if the user, registered for Passwordless, clicks in the app the "Update phone sign-in", the "Registering for push notifications..." dialog pops up, then a small toast notification near the bottom of the screen says, "Failed to register for receiving push notifications".

In the list of accounts within Microsoft Authenticator, my work account has an icon on the left hand side. It is a red exclamation mark surrounded by a red circle.

I understand Android push notifications rely on Google Firebase Cloud Messaging. There's nothing in our environment in the United States that would block cloud messaging. Google push notifications work fine in every other app, and even work fine in Microsoft Authenticator in simple OTP mode.

In the Android app settings, Battery optimization is set to "Not optimized". Notifications are all allowed.

I've checked every setting I can find. I'm utterly stuck.

Thanks.

Answer 1

We got the fix for you!! Seems “Azure Multi-Factor Auth Connector” was disabled on our accounts. This will allow you to get the push notifications for the number matching challenge without the need to manually poll by refreshing the pulling the app.

Open PowerShell and use “Connect-MsolService”
Login with Global Administrator Account
Run “Get-MsolServicePrincipal -AppPrincipalId 1f5530b3-261a-47a9-b357-ded261e17918”
If it is False, run “Set-MsolServicePrincipal -AppPrincipalId 1f5530b3-261a-47a9-b357-ded261e17918 -AccountEnabled:$true”
In the Authenticator App on your phone, click the arrow to run “Update phone sign-in” again, the exclamation mark should go away

At this point you can close the Authenticator App and try to login to your Office 365 account. It should start prompting you without manually opening the App!

Hope that helps!

reference
https://www.jasonsamuel.com/2019/03/04/how-to-setup-password-less-phone-sign-in-authentication-with-microsoft-authenticator-azure-ad-and-citrix-workspace/

Answer 2

I had to enable the Azure Multi-Factor Auth Connector per the documentation below. Once I did that it started working.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone