Recently, while working on an office 365 hardening project, I came across an issue that was causing problems for many users in verifying the 2nd factor authentication (Azure MFA).
During the 2nd factor authentication process, users were presented with the following screen. As you can see, the user has the option to verify their identity using SMS, but no call-based option is available.
By design, if a user has configured Azure MFA using their mobile number, they should have the option to choose between SMS and call-based verification (TwoWayVoiceMobile).However, in this case, the call-based option was missing.
So, how do we troubleshoot this issue, identify the users who are experiencing it, and apply a fix for all problematic users?
I started by checking the MFA service settings to see if the call-based option had been removed from the verification options. This can be done by checking the per-user MFA settings from the Azure portal, using the "All Users" link found here: https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
Further checking, I tested the MFA using my own account in the same tenant, it does have call to phone option.
I also verified the problematic user authentication methods in the user properties and it looks good there too.
The above screen is same for both problematic user and non-problematic user.
This confirms that, there are no issues at the Azure side or tenant side and the issue is more on the user authentication methods.
From the Azure portal, we do not have many options that can help us in this situation.
We will now switch to next stage of troubleshooting using PowerShell or GraphAPI.
Graph API Azure AD authentication methods API overview - Microsoft Graph beta | Microsoft Learn
In this blog post, we will use PowerShell to troubleshoot and apply a fix . you can also apply the fix using graphAPI but i am not covering in this blog post.
Powershell:
we will use msolservice PowerShell module to verify the strong authentication methods set by the user.
Install the powershell module and Connect-MsolService
The command (Get-MSolUser -UserPrincipalName emailaddress).StrongAuthenticationMethods will help you to get the authentication methods available for user.
As you see, the authentication methods available for user is onlywaySMS.
Lets try this for working user.
(Get-MSolUser -UserPrincipalName emailaddress).StrongAuthenticationMethods
Non-problematic user has both onewaySMS and TwoWayVoiceMobile (Call to phone) options available.
we know what the issue but why is happening to some users but not all?
The problematic user has configured the MFA year ago and there are no further logs to identify how did user configured MFA.
I could not able to find the root cause but there is fix and apply this fix to all problematic users using script.
We will apply the fix to one user first, validate the results before the fix is applied to all the problematic users. There are couple of options to apply the fix:
Apply fix to one user
There are couple of options to apply the fix
1) Reset the MFA using the azure portal. This will prompt user to re-setup the MFA. This step involves user intervention and cause inconvenience for user.
2. Notify user to browse to https://aka.ms/MFASETUP. This option also require user intervention and cause inconvenience, just like above option.
3. The 3rd option is to use the PowerShell, apply the fix backend and ask user to validate it.
<#
Name: Find the users whose authentication methods are not set correctly for phone number
Author: Eswar Koneti @eskonr
#>
Connect-MsolService
$users = Get-MsolUser -All
$problemUsers = @()
foreach ($user in $users)
{
If (-Not ($user.StrongAuthenticationMethods.MethodType -Match 'TwoWayVoiceMobile') -and ($user.StrongAuthenticationMethods.MethodType -Match 'OneWaySMS'))
{
$problemUsers += $user
}
}
$problemUsers |Select-Object -Property UserPrincipalName -ExpandProperty StrongAuthenticationMethods | export-csv C:\temp\scripts\problemUsers.csv -NoTypeInformation
This script will export all users who have configured MFA with onewaySMS but missing call to phone ('TwoWayVoiceMobile')
Once the report is generated, remove the users who have MethodType OTP or other options to avoid any further issues with those users. Our focus to fix only users who have onewaySMS but missing with 'TwoWayVoiceMobile'
Once the csv file is updated with problematic users, save the file.
we will now apply the fix to one user using the following script.
Connect-MsolService
$upn = "Email Address or UPN"
$user = Get-MsolUser -UserPrincipalName $upn
$user.StrongAuthenticationMethods
$sm1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm1.IsDefault = $true
$sm1.MethodType = "OneWaySMS"
$sm2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm2.IsDefault = $false
$sm2.MethodType = "TwoWayVoiceMobile"
$sm = @($sm1,$sm2)
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationMethods $sm
Now, verify the status using the following command
(Get-MSolUser –UserPrincipalName emailaddress ).StrongAuthenticationMethods
Post confirmation with user, we are ready to run the script for all problematic that we have identified using the script.
<#
Name:Script set StrongAuthenticationMethods to include both “OneWaySMS” and “TwoWayVoiceMobile”
Author: Eswar Koneti @eskonr
#>
Connect-MsolService
$users = Import-Csv -Path C:\temp\scripts\problemUsers.csv
foreach ($user in $users)
{
$upn = $user.UserPrincipalName
$user = Get-MsolUser -UserPrincipalName $upn
$user.StrongAuthenticationMethods
$sm1 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm1.IsDefault = $true
$sm1.MethodType = "OneWaySMS"
$sm2 = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$sm2.IsDefault = $false
$sm2.MethodType = "TwoWayVoiceMobile"
$sm = @($sm1,$sm2)
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationMethods $sm
}
I have uploaded all the 3 individual scripts to Github page for your reference.
In conclusion, if you're experiencing similar issues with Azure MFA, be sure to check the MFA service settings to ensure all verification options are available.
Thank you for reading the post!