Natural Born MFA Killers

Last Updated on June 27, 2022 by rudyooms

This blog will be about a weird MFA problem when we were enrolling devices and at the same time configuring MFA.

The user in question already had the Company and Authenticator app installed on their iPhone. We were very glad because it can really save some time.

It’s obvious that MFA needs to be required when devices need to join Azure Ad. We handed out the surface, so the user could complete the steps to configure Windows Hello and set up MFA with the Microsoft Authenticator app.

So far so good, until the MFA part. The Authenticator threw 2 different kinds of errors when scanning the QR-Code.

I will divide this blog into multiple parts

  1. QR Code Is Already Used
  2. Activation Failed
  3. Solving the Issue

1. QR Code Is already used

QR code is already used. You have already used this QR code to add an account.  Generate a new QR code and try again. So we did… but you can guess the outcome, the same error occurred.

2. Activation Failed:

Activation failed. Please make sure push notifications are enabled.

3. Solving the Issue

The first thing we tried, removing the account in Microsoft Authenticator and adding the account again. But obviously, this didn’t work.

Okay, let’s try to require the user to re-register MFA, maybe something will be fixed in the background.. again the same error.

Everyone tells you that Google is your best friend, so we googled the error. Every blog says the same damn thing… you will need to unblock your user. To make sure this wasn’t our issue, we opened the Azure Ad Portal and opened the MFA settings.

Microsoft Azure

As shown above, it clearly stated: No results. I hoped to see the problem user but again no luck.

The next thing we tried, was determining if it was a user or device problem. We scanned the QR code on a different iPhone and it immediately worked. I guess we can rule out a user-based issue.

So it must be a problem with the device itself. First, we removed the Microsoft Authenticator app and reinstalled it… unfortunately that didn’t work.

What to do? I had no ideas left for a minute, but then it hit me. Let’s open the Company Portal, maybe the Company app will give us some more information.

First things first, we need to enroll the device. One of the steps you will need to take when enrolling your IOS device is installing the Intune management profile. When we pressed “Install” a new error appeared.

Let me translate the picture above for you: MDM payload does not match the old Payload.

That’s a nice error we can work with. This error clearly means the device already had a different MDM profile installed from another vendor. In this case, it was a Trend Micro MDM profile

After removing this profile, the company app worked and the device was enrolled. And guess what? Fixing the company app also fixed the MFA problem. We could scan the QR-Code without any problems after removing the old management profile.

Conclusion:

It’s your job as an IT admin to rule out everything you can, so only the solution remains.  Sometimes not focusing on the actual problem, can help you in understanding what the real problem is.

trying.gif

Leave a Reply

Your email address will not be published.

6  +  4  =