Natural Born MFA Killers

Natural Born MFA Killers

This blog will be about a weird MFA problem when we were enrolling devices and at the same time configuring MFA.

The user in question already had the company  and Authenticator app installed on their IPhone. We were very glad, because it can really save some time.

It’s obvious MFA needs to be required when devices need to join Azure Ad. We handed out the surface, so the user could complete the steps to configure Windows Hello and setting up MFA with the Microsoft Authenticator app.

So far so good, until the MFA part. The Authenticator threw 2 different kind of errors when scanning the QR-Code:

The first error: QR code is already used. You have already used this QR code to add an account.  Generate a new QR code and try again. So we did… but you can guess the outcome, the same error occurred.

Google preview

The second error: Activation failed. Please make sure push notifications are enabled.

The first thing we tried, removing the account in Microsoft Authenticator and adding the account again. But obviously this didn’t worked.

Okay, let’s try to require the user to re-register MFA, maybe something will be fixed in the background.. again the same error.

Everyone says Google is your best friend, so we googled the error. Every blog says the same damn thing… you will need to unblock your user. So we opened the Azure Ad Portal and opened the MFA settings.

Microsoft Azure

It clearly stated: No results. I hoped to see the problem user but again no luck.

The next thing we tried, was determine if it was a user or device problem. We scanned the QR code on a different IPhone and it immediately worked. I guess we can rule out a user based issue.

So it must be a problem with the device itself. First we removed the authenticator app and reinstalled it… unfortunately that didn’t worked.

What to do? I had no ideas left for a minute, but then it hit me. Lets open the company portal, maybe the company app will give us some more information. First things first, we need to enroll the device. One of the steps you will need to take when enrolling your IOS device, is installing the Intune management profile. When we pressed “Install” a new error appeared.

MDM payload does not match the old Payload. That’s  a nice error we can work with. This error clearly means the device already had an different MDM profile installed from another vendor. In this case it was a Trend Micro MDM profile

After removing this profile, the company app worked and the device was enrolled. And guess what? Fixing the company app also fixed the MFA problem. We could scan the QR-Code without any problems after removing the old management profile.

Conclusion:

It’s your job as an IT admin to rule out everything you can, so only the solution remains.  Sometimes not focusing on the actual problem, can help you in understanding what the real problem is.

Leave a Reply

Your email address will not be published. Required fields are marked *

82  +    =  84