Staged Rollout to Passthrough changing users MFA methods

%3CLINGO-SUB%20id%3D%22lingo-sub-2616303%22%20slang%3D%22en-US%22%3EStaged%20Rollout%20to%20Passthrough%20changing%20users%20MFA%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2616303%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20am%20in%20the%20process%20of%20helping%20a%20customer%20migrate%20their%20ADFS%20relying%20parties%20to%20AAD%20and%20also%20migrating%20their%20users%20to%20passthrough%20auth%20from%20federated.%3C%2FP%3E%3CP%3EWe%20have%20had%20instances%20from%20around%2010-20%25%20of%20just%20over%20200%20users%20so%20far%20in%20the%20staged%20rollout%20pilot%20of%20passthrough%20auth%20that%20have%20found%20their%20MFA%20method%20was%20switched%20to%20SMS%20primary%20once%20they%20were%20included%20in%20the%20pilot.%20All%20of%20these%20users%20did%20have%20app%20prompt%20as%20their%20primary%20with%20app%20code%20and%20phone%20call.%20the%20org%20is%20not%20meant%20to%20be%20using%20SMS%20auth%20at%20all.%20I%20believe%20in%20all%20instances%20the%20users%20were%20able%20to%20access%20the%20MFA%20portal%20and%20re-set%20their%20primary%20method.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20run%20into%20this%3F%20I'm%20not%20seeing%20anything%20in%20the%20user%20audit%20log%20changing%20the%20auth%20methods%20for%20the%20users%20and%20am%20searching%20for%20more%20guaranteed%20users.%20Given%20holidays%20a%20lot%20of%20users%20had%20it%20happen%20just%20over%20a%20month%20ago.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20looking%20at%20eventually%20switching%20over%20around%20five%20thousand%20users%20and%2010-20%25%20of%20that%20would%20destroy%20the%20helpdesk%20and%20be%20a%20significant%20impact%20to%20user%20productivity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2616303%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epassthrough%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Estaged%20rollout%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2652437%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20Rollout%20to%20Passthrough%20changing%20users%20MFA%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2652437%22%20slang%3D%22en-US%22%3EHi%20Peter%2C%3CBR%20%2F%3E%3CBR%20%2F%3ECould%20you%20please%20give%20me%20some%20more%20background%20information%3F%3CBR%20%2F%3EThe%20group%20that%20you%20assigned%20the%20Staged%20Rollout%20feature%20for%2C%20is%20this%20group%20also%20included%20in%20the%20%E2%80%9CCombined%20registration%E2%80%9D%20feature%3F%20Or%20didn%E2%80%99t%20you%20configure%20this%20feature%20yet%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%20Bilal%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2652518%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20Rollout%20to%20Passthrough%20changing%20users%20MFA%20methods%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2652518%22%20slang%3D%22en-US%22%3Ethis%20tenant%20isn't%20using%20the%20combined%20registration%20feature%20at%20all%20yet.%20I%20have%20suggested%20it%20is%20worth%20looking%20at%20for%20them%20from%20a%20user%20experience%20standpoint.%3C%2FLINGO-BODY%3E
Contributor

Hi,

I am in the process of helping a customer migrate their ADFS relying parties to AAD and also migrating their users to passthrough auth from federated.

We have had instances from around 10-20% of just over 200 users so far in the staged rollout pilot of passthrough auth that have found their MFA method was switched to SMS primary once they were included in the pilot. All of these users did have app prompt as their primary with app code and phone call. the org is not meant to be using SMS auth at all. I believe in all instances the users were able to access the MFA portal and re-set their primary method.

 

Has anyone else run into this? I'm not seeing anything in the user audit log changing the auth methods for the users and am searching for more guaranteed users. Given holidays a lot of users had it happen just over a month ago.

 

we are looking at eventually switching over around five thousand users and 10-20% of that would destroy the helpdesk and be a significant impact to user productivity.

5 Replies
Hi Peter,

Could you please give me some more background information?
The group that you assigned the Staged Rollout feature for, is this group also included in the “Combined registration” feature? Or didn’t you configure this feature yet?

Regards, Bilal
this tenant isn't using the combined registration feature at all yet. I have suggested it is worth looking at for them from a user experience standpoint.
Hi Peter,

Thanks for the response.
I have seen the behavior you are mentioning regarding a text message, but that's only when a user has never signed in before and his or her phone number is configured by an administrator under the authentication methods.

If they don't want to use the SMS option at all, why is it configured as a method? Is there a possibility to turn it completely off (via the Per-user MFA option and via the Authentication methods in Azure AD).

And what you can try, is to turn on the Combined registration only for a handful of users (or yourself). To reproduce if the issue still persists. Soon or late they will ask you to implement this feature. Besides that, it will ask users to verify their authentication methods, and the behavior might be the same as before (authentication app) instead of SMS.

Please let me know if you have tested the above.
Hi, I think wires are crossed due to the mention of not wanting to use the SMS method.

The core issue is that some users who have previously configured app notification in Azure MFA, when enabled for PTA staged rollout are then changed to SMS, as if their MFA is reset or rolled back.

The audit logs are clear as mud but possibly its showing an update to the strongauthenticationmethods for some of these users by AD connect.
Hi Peter,

The issue you currently dealing with was clear to me. Excuse me If it looked like it didn’t.

I am wondering if the value for strong authentication changes when adding someone to the staged rollout group. Could you try to run the below Powershell before and after the user gets added to the group and check the differences in the values?

Connect-MsolService
$User = Get-MSolUser -UserPrincipalName user@domain.com
$User.StrongAuthenticationMethods