Questions[entra-id](server)

I’m working in a very small school environment. They’re on M365 A3 licenses and using Entra along with InTune for mdm.

We have (at least in theory) disabled all MFA so that all users (specifically for the students) can just sign in without needing to use Authenticator.

The issue is some students are being prompted to download the Authenticator pp when we do “work / school” sign in. The prompt we’re getting says that our organization requires it.

I’ve disabled MFA in Entra. What could I be missing?

I'm preparing to onbaord a new set of users for MFA authentication with Entra/AD FS, and running into some trouble (thankfully still during the testing phase!)

The environment is an on-premise AD/AD FS server (2019), synching to Entra with P1 to support MFA. This is working for most users. When users activate a new account they are redirected to the MS "ProofUp" process at mysignins.micrsoft.com/security-info per the documentation, and can finish the registration/authentication. It allows them to initially bypass the MFA requirement to reach the "mysignins.micrsoft.com/security-info" page until additional factors are provided, as it should.

However, we have a class of users now who come to us where they already have the Microsoft Authenticator app, and have already signed into the app with our "Work or School account", but have not yet actually finished registering the app for MFA with our Azure/Entra tenant. Notably, the app does NOT appear at all in the Authentication Methods section for the user in the Entra admin console. These are students (we are a university) who used the app to do MFA with an outside service from back before we required student MFA, and we now no longer use that service.

These users are NOT able to load the mysignins.micrsoft.com/security-inf ProofUp page, and instead enter a redirect loop where they continually end up back at our AD FS site saying they need to complete MFA registration.

One key is at no point does the user ever see an actual error message. They just can't move past the AD FS page asking them to register MFA tokens. Anything they do to move forward will redirect them back to this point. Additionally, sign-in logs for these users in Entra will only show "Success" results unless they actual do enter a bad password, and even these are from before we turn on the MFA requirement for the user (or after we release them due to failure).

UPDATE:

I am now able to recreate this for a new test user on demand with these steps:

1. Create a user in the local Active Directory
2. Make sure the user is NOT yet required for MFA and let it sync to Azure AD/Entra
3. Take a test mobile device that is NOT already registered with Entra
4. Install the MS Authenticator app fresh on the device (completely remove it first and then re-install if it's already there so any local data for prior tests is cleared)
5. Login to the Authenticator app as a work/school account with the user credentials created in step 1
6. Close and quit the app.
7. Set the user to require MFA for one of our AD FS Relying Parties (we do that here by adding a group membership in AD)
8. Have the user try to access a protected app

The important thing was steps 5 and 6 happened before step 7.

AD FS will now correctly determine the user needs to complete MFA; it will show them a message per the documentation and then attempt to redirect them to the Entra ProofUp page after 5 seconds. But the proof-up page will not allow access and immediately redirect them back to AD FS to repeat the cycle. The user is prevented from completing the ProofUp process.

Using the "Require Re-register multifactor authentication" button shown below for the user in the admin console does not work to resolve this.

So far, I have two ways I can move these users forward:

1. Manually enter an additional factor for them (such as a cell phone). We'll soon be brining several hundred additional users onboard this way, where I don't necessarily have those cell phone numbers. I need something better.
2. Change the access control policy for the Office 365 app specifically to not require MFA. This isn't as bad as it seems at first, because we use Google Workspace for email and most document services, but it's also obviously not good and not something I want to live with long term.

How can I clear the half-finished Authenticator app registration for these users, or otherwise allow them to move forward with MFA registration?

I can't be the first person to run into this, because it could happe to anyone who skips a step in the normal process and tries to add the Authenticator App too soon.