Microsoft Authenticator - Set up phone sign-in

Roman King 21

Hello

I have my test (trial) E5 account and now I am trying to test Phone Sign-in using Microsoft Authenticator.
I have registered my phone as a device and I see it in my Azure AD.
Now, when I click "Set up phone sign in" and click "Continue" I get an error:

Account not added

Your organization does not allow you to add your account to Microsoft Authenticator.

Any ideas what is the error?
Google knows nothing...

Clara Snyder 1 Reputation point

2021-05-27T13:54:56.763+00:00

I have the same issue and I have been unable to find any information on this.
Bryan Tran 1 Reputation point

2021-07-23T23:28:53.167+00:00

Same problem here. My account has already been added to authenticator, in fact it was used to 2FA sign-in a second time in order to set up passwordless authentication (or what the original poster, OP, refers as "Set up phone to sign in" which is also correct).

I get the same error and I cannot proceed with passwordless sign-in.

I'm not on a trial account. I'm on Microsoft Exchange Online Plan 1.
Jack Chen 131 Reputation points

2021-07-28T15:19:10.697+00:00

Having same problem to setup passwordless. My phone is already registered to the tenant.
Martin Wüthrich 1 Reputation point

2021-10-06T05:14:28.483+00:00

Hi, maybe it's way too late, but I had the same issue and found this article.
This error also shows up, if you alerady have on Account configured for Passwordless Sign-In / Phone Sign-In, and then try to add an additional account:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone#device-registration

1 answer

Jack Chen 131 Reputation points

2021-07-28T16:58:23.367+00:00
I got same error with my test Azure tenant and after changed some Azure AD setting, it finally worked.

document: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone

configurations need to be done on Azure AD ( by global admin ):

in AAD -> Enterprise Application, search "Azure Mul" ( application type is "Microsoft applications" ), then enable "Enabled for users to sign-in" option for Azure Multi-Factor Auth Connector ( There is another application "Azure Multi-Factor Auth Client", might need to do the same ).

Add your user or a proper group into the application's "Users and Groups" so you are allowed to use the app.

Make sure in AAD -> Security -> "Authentication methods", "Microsoft Authenticator" is enabled for all users.

on client side, the device need to be registered into Azure AD.
Please sign in to rate this answer.

1 person found this answer helpful.
Bryan Tran 1 Reputation point

2021-07-28T17:14:37.613+00:00

I can't find either of those apps in Enterprise Application -> New Application -> Search. Is there a way to import them or is there an app store where I can browse for them?

Jack Chen 131 Reputation points

2021-07-28T17:30:48.34+00:00

They are "Microsoft application", by default they are disabled.

Bryan Tran 1 Reputation point

2021-07-28T17:47:28.51+00:00

I'm sorry, I'm getting the same issue. Do you happen to know if Microsoft Exchange Online Plan 1 is eligible for these apps?

Jack Chen 131 Reputation points

2021-07-28T17:49:34.987+00:00

No you don't need to create a new application. Just search existing applications, but make sure to change application type to "Microsoft Applications" first.

Bryan Tran 1 Reputation point

2021-07-28T17:50:53.887+00:00

What I did in the first screenshot would be what you are referring to, right?

Jack Chen 131 Reputation points

2021-07-28T18:06:34.953+00:00

hmm. if you search 1f5530b3-261a-47a9-b357-ded261e17918 , does it show anything?

You can also enable it by powershell:

https://github.com/MicrosoftDocs/azure-docs/issues/40977
Set-MsolServicePrincipal -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -AccountEnabled $True
Set-MsolServicePrincipal -AppPrincipalId "1f5530b3-261a-47a9-b357-ded261e17918" -AccountEnabled $True

https://social.msdn.microsoft.com/Forums/en-US/be71b85d-d32f-47da-9b69-b141b43d014d/service-principal-not-found-981f26a17f43403ba875f8b09b8cd720-azure-multifactor-auth-client?forum=windowsazureactiveauthentication

mentioned :

You will not see "Azure Multi-Factor Auth Client" in the list of MSOL Service Principals until you have at least one account with an MFA license on your tenant.

But you said you already enabled MFA ( or maybe it's enabled on a admin account so doesn't need MFA license? )

Bryan Tran 1 Reputation point

2021-08-23T17:47:44.037+00:00

I finally found the applications. They are only revealed when you subscribe to Azure AD Premium P1, which was (surprisingly but understandably) not included in my plan. My new problem is enabling passwordless following seeing the two applications.

I don't know how to move forward from Step 1 "Provision User Accounts"

I only have one user (myself) in my org, and they appear in the app's users and groups (see pic)

And in my AD user profile, I can see that I have already been assigned to both apps, yet can't continue or access any of the other settings in the apps...
Sign in to comment