MFA causing multiple issues

Iron Contributor

Dear community members,

 

I hope I am posting at the right board.

Facing few issues with MFA enabled & enforced for our users.

  1. Users facing issues to login to MS Teams & Outlook. Some users even with an app password set, prompted for password, same with Teams. *SOLVED: Thanks to @Vasil Michev suggestions
  2. On Teams, users see a modern authentication page and at the same time an app password page for login couple of times.

  3. Users OS not upgrading to Win 10 Enterprise. Got a response from MS support that this is an ongoing issue as per 

    https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation

     

    'An issue has been identified with Hybrid Azure AD joined devices that have enabled multi-factor authentication (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal.'

  4. Users devices not registering to Hybrid Azure AD
  5. Conditional Access Policy restricting SharePoint online for unmanaged devices causing to lock down managed devices as well due to device registration data not syncing to Azure. (For now, we have kept this policy to report only mode, as due to the MFA issue, some devices are not showing as Hybrid Azure AD registered even if it shows as that on the portal) but this is causing risk of data exposure from unmanaged devices)

Current workaround for 1 to 4 is to disable MFA, (3rd issue workaround suggested by MS support was to let the user login to the computer using their email id and password rather than the local AD credential, but this rarely works and we depend on our MFA disable/enable workaround instead) let the user login to portal and then while they are logged in, enable & enforce MFA again, generate a new app password (as the old one gets cleared when you disable MFA) and then wait for few minutes (app password doesn't seems to be immediately accepted by Outlook/Teams) and apply it to the clients.

 

Anyone facing these issues?

3 Replies

Neither Teams nor Outlook requires app passwords, only old versions (Office 2010, 2013) do. If you are seeing the "legacy" auth prompt, make sure that modern auth is enabled *both* service- and client-side.

@Vasil Michev Thank you

 

I've now set modern auth and outlook clients now prompting with modern auth login page. 

 

Still need to see if anyone else facing other issues as listed above

@Vasil Michev 

We are still seeing Teams not working in certain W10 machines after enabling MFA. Anyone else?