So I've been banging my head against this for too long and am hoping someone can suggest something I haven't already tried.
Basically, I've got a user who is unable to set their MFA options. I can set them via the back end, but when they try to log on, they never receive a text or call. Here's what I've tried so far:
1). Ensured that the sign-in isn't blocked (and have also tried enabling/disabling to see if that helped -- it didn't).
2). Reset MFA via "Require Re-register MFA"
3). Tried multiple mobile numbers (including different providers), office numbers, and the authenticator app.
4.) Restarting my mobile phone (didn't think this was help, especially as none of the other mobiles phones/office phones worked either, but it was suggested, so I tried it anyway).
5.) Verified that when I tried changing stuff on my account's MFA settings, everything went swimmingly --which tells me it's almost certainly something to do with the account and not the MFA service).
When I set the primary authentication option (from portal.azure.com -> Users -> affected user -> Authentication Methods) to a phone number (Phone type: Mobile), I see the typical "We texted your phone +X XXXXXXXX47. Please enter the code to sign in." message, but no text ever comes through (and I've double- and triple-checked the number to make sure it's correct)
When I select the option to "Sign in a different way", and choose to have it call either the same number, or an alternate one I'd configured via the same method (Phone type: Office), I see the normal "We're calling your phone. Please answer it to continue.", but then I get a line of red text that states "We called your phone but didn't receive the expected response. Please try again." LIES. But at least then I'm able to view additional details:
Error Code: 500121
Request Id: 93c51ff7-b652-4777-abec-5aa117353100
Correlation Id: 3820b4e3-0a6a-4073-b706-926fb7247e9d
Searching for that error gets me a description of:
Error Code: 500121
Message: Authentication failed during strong authentication request.
Remediation: The user didn't complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or has an issue with their authentication setup.
So ... yeah, I'm stuck. If I set the users' MFA auth. options manually, they don't work. If I delete all MFA options, the user gets prompted to create set up their MFA options at next login, but isn't able to save them as doing so requires being able to successfully receive either a call or text from the MFA service. I've tried having them install the MS Authenticator app as well, but when the MFA site generates the QR Code, the Authenticator app just tells me:
Unable to add the account.
We couldn't add the account. Please verify that the activation code is correct and push notifications are enabled on your device for this app" (it is).
Likewise, if I try to manually enter the code and URL, the app tells me "QR code already used. You've already used this QR code to add an account. Generate a new QR code and try again."
Again, MFA is working for all of the other 100+ people in the office, but not this one person and for the life of me, I just don't know why. So if anyone can think of or suggest something I haven't tried yet, it'd be very much appreciated (especially if it fixes the issue).