Issue 1: Some applications freeze up when MFA is enabled.
If someone doesn’t notice the authentication prompt it is possible that the prompt will timeout. When this happens, they will need to reinitialize the authentication process. If the logon prompt isn’t working or is difficult to find, try closing and reopening the application.
Issue 2: Email stops working from the smartphone.
Some older applications are not compatible with MFA. The email application that came with older Android phones is one example. In this situation it is recommended that an alternative email client (like Outlook) be installed and used on the smartphone. The default email client on iPhones and Windows phones is compatible. The following example of is shows prompts from an iPhone, however, it should be similar to most email applications.
Issue 3: Problems scanning code during MFA registration
Immediately after opening https://aka.ms/mfasetup there is a prompt to enter a code.
-or-
While going through the steps from that URL, they scan the QR code and get a 'something went wrong' error.
This indicates that a 2nd authentication factor was already selected. In some cases, people registered for Self Service Password Reset and forgot what they selected for a default 2nd factor. Another possibility is a bad actor configured their own 2nd factor when they compromised this account. If the account owner cannot remember choosing an option, then resetting the MFA registration for that account is the next best step. To do this, someone with Azure AD access must go to that user account and then open the 'Authentication methods' link located under the Manage list. This is where the 'Require re-register MFA' button is located. Click that to reset the MFA options. Once this is completed, the account owner should close all web browser windows and then open the URL and follow the prompts to complete MFA registration.
Issue 4: After hitting "Deny" to an Authenticator prompt MFA stops working (account blocked)
Anytime a user responds to the prompt to "Allow" or "Deny" authentication by hitting "Deny" their account is blocked indefinitely. When they attempt to use MFA in the future to authenticate, they will not see a prompt from their Authenticator app. When the MFA prompt times out, they will be prevented from accessing their application.
To unblock the account, someone with rights to reset it in Azure needs to perform the following steps:
At this time, these are the individuals with the rights needed to unblock these accounts (Joshua Gray, Bryan Biondo)
More details about MFA blocked accounts can be found here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#block-a-user
More troubleshooting resources:
https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-faq