iOS 2FA Edit Settings Continually Prompt When Password Changed

%3CLINGO-SUB%20id%3D%22lingo-sub-1055703%22%20slang%3D%22en-US%22%3EiOS%202FA%20Edit%20Settings%20Continually%20Prompt%20When%20Password%20Changed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1055703%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wanted%20to%20get%20an%20idea%20if%20others%20in%20the%20community%20are%20having%20these%20issues%20or%20if%20we're%20doing%20something%20incorrectly.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2FA%20is%20successfully%20implemented%20and%20working%20on%20our%20iOS%20devices.%26nbsp%3B%20The%20issue%20comes%20with%20password%20changes%20and%20the%20iOS%20device%20prompting%20to%20%22Edit%20Settings%22%20for%20the%20native%20mail%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20going%20through%20and%20updating%20your%20password%2C%20you%20get%20the%202FA%20prompt.%26nbsp%3B%20If%20you%20never%20return%20to%20the%20settings%20screen%2C%20the%20native%20mail%20profile%20doesn't%20update%20and%20you're%20continually%20prompted%20to%20%22Edit%20Settings%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20way%20the%20mail%20profile%20successfully%20updates%20is%20if%20you%20do%20the%20following%3A%3C%2FP%3E%3COL%3E%3CLI%3ELong%20press%20on%20the%20Microsoft%20Authenticator%20notification%20and%20approve%20the%20sign%20in.%3C%2FLI%3E%3CLI%3EGo%20into%20the%20Microsoft%20Authenticator%2C%20approve%20the%20login%20and%20return%20to%20the%20previous%20screen.%3C%2FLI%3E%3CLI%3EUse%20SMS%20to%20force%20the%20user%20to%20return%20to%20the%20settings%20screen%20and%20complete%20the%20profile%20update.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EMost%20of%20our%20users%20utilize%20the%20Authenticator%20App%20and%20we%20receive%20lots%20of%20helpdesk%20tickets%20because%20they%20are%20not%20returning%20to%20the%20setup%20screen%20to%20finish%20updating%20the%20profile%20and%20then%20they%20are%20inundated%20with%20a%20continual%20prompt%20%22Edit%20Settings%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20whole%20process%20seems%20a%20bit%20clunky%20and%20I%20would%20imagine%20it's%20more%20of%20an%20Apple%20issue%2C%20but%20I%20wanted%20to%20see%20if%20other%20are%20having%20this%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1055703%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Visitor

I wanted to get an idea if others in the community are having these issues or if we're doing something incorrectly.  

 

2FA is successfully implemented and working on our iOS devices.  The issue comes with password changes and the iOS device prompting to "Edit Settings" for the native mail app.

 

After going through and updating your password, you get the 2FA prompt.  If you never return to the settings screen, the native mail profile doesn't update and you're continually prompted to "Edit Settings".

 

The only way the mail profile successfully updates is if you do the following:

  1. Long press on the Microsoft Authenticator notification and approve the sign in.
  2. Go into the Microsoft Authenticator, approve the login and return to the previous screen.
  3. Use SMS to force the user to return to the settings screen and complete the profile update.

Most of our users utilize the Authenticator App and we receive lots of helpdesk tickets because they are not returning to the setup screen to finish updating the profile and then they are inundated with a continual prompt "Edit Settings".

 

The whole process seems a bit clunky and I would imagine it's more of an Apple issue, but I wanted to see if other are having this issue.

 

 

1 Reply
I've seen this same behavior in two separate customer tenants. What appears to be happening is if the Authenticator Mobile App had *any* previous registration, then after a password change, the broker relationship is lost (Authenticator App is used as a Broker to register the device into Azure AD for conditional access purposes) and so I believe the prompting is caused by conditional access not being satisfied with device claim being met. You can work-around this issue by modifying conditional access to not look for a particular device type (iOS/android) but I feel like this is a bug and I recommend you open a support case with Microsoft.