Forum Discussion

Peter Holland's avatar
Peter Holland
Iron Contributor
Aug 05, 2021

Staged Rollout to Passthrough changing users MFA methods

Hi,

I am in the process of helping a customer migrate their ADFS relying parties to AAD and also migrating their users to passthrough auth from federated.

We have had instances from around 10-20% of just over 200 users so far in the staged rollout pilot of passthrough auth that have found their MFA method was switched to SMS primary once they were included in the pilot. All of these users did have app prompt as their primary with app code and phone call. the org is not meant to be using SMS auth at all. I believe in all instances the users were able to access the MFA portal and re-set their primary method.

 

Has anyone else run into this? I'm not seeing anything in the user audit log changing the auth methods for the users and am searching for more guaranteed users. Given holidays a lot of users had it happen just over a month ago.

 

we are looking at eventually switching over around five thousand users and 10-20% of that would destroy the helpdesk and be a significant impact to user productivity.

  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Hi Peter,

    Could you please give me some more background information?
    The group that you assigned the Staged Rollout feature for, is this group also included in the “Combined registration” feature? Or didn’t you configure this feature yet?

    Regards, Bilal
    • Peter Holland's avatar
      Peter Holland
      Iron Contributor
      this tenant isn't using the combined registration feature at all yet. I have suggested it is worth looking at for them from a user experience standpoint.
      • BilalelHadd's avatar
        BilalelHadd
        Iron Contributor
        Hi Peter,

        Thanks for the response.
        I have seen the behavior you are mentioning regarding a text message, but that's only when a user has never signed in before and his or her phone number is configured by an administrator under the authentication methods.

        If they don't want to use the SMS option at all, why is it configured as a method? Is there a possibility to turn it completely off (via the Per-user MFA option and via the Authentication methods in Azure AD).

        And what you can try, is to turn on the Combined registration only for a handful of users (or yourself). To reproduce if the issue still persists. Soon or late they will ask you to implement this feature. Besides that, it will ask users to verify their authentication methods, and the behavior might be the same as before (authentication app) instead of SMS.

        Please let me know if you have tested the above.

Resources