Azure-docs: two issues with the passwordless experience

Created on 10 Jan 2019 · 12Comments · Source: MicrosoftDocs/azure-docs

There are several issues and this is not production ready yet:

1) Passwordless login doesn't seem to always be respecting conditional access policies for trusted sites. This is most evident with the #2 issue below, where our apps are configured to bypass MFA when on premise, but yet the notification is still being sent.
2) When combined with seamless sign-on, our test users will get a MFA notification in Authenticator asking to hit a number, but they are already logged into the web application.
3) When a user puts in their email address to log in, they may get confronted with a screen asking them to click "Send notification". But the notification is already sent to their phone, which is confusing. In other words, I get a notification on my phone asking me to hit a number. But on the web page, I still have to click "Send Notification" to see the number. The notification was already automatically sent, so why am I clicking Send Notification?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: ee6ac70d-5853-6a3a-0964-23b46910b4c4
Version Independent ID: a5beda87-9845-8807-6221-7fdc64079587
Content: Password-less Azure AD sign-in with the Microsoft Authenticator app (public preview)
Content Source: articles/active-directory/authentication/howto-authentication-phone-sign-in.md
Service: active-directory
GitHub Login: @MicrosoftGuyJFlo
Microsoft Alias: joflore

active-directorsvc cxp product-question triaged

Source

philliplyle

👍1

All 12 comments

Sorry, that's 3 issues ;)

philliplyle on 10 Jan 2019

@philliplyle Thanks for your feedback! We will investigate and update soon on it.

MohitGargMSFT on 10 Jan 2019

👍1

@philliplyle We have checked the same and the experience have improved now . The send notification works better and you should see the difference . As for your second question about respecting the conditional access policy , The article already mentions that in case of ADFS federated applications you may find that the CA policies are not honored currently in the known issues section. However , we have informed the product group about your feedback . Please let us know if you still see the same behavior with your applications within your on-premise environment or cloud apps . Also , Do you see this behavior with Applications federated with ADFS or with registered/federated directly within Azure AD . Please let us know and we can continue the conversation accordingly.

shashishailaj on 1 Feb 2019

Thanks. I will check regarding the improvements.

Regarding #2, we are not using Adfs. It may be any login that does not have a root hint. I will try to post a more specific example.

One other question - how does a user unenroll from this experience? There is no option in the authenticator app. Delete and re register the authenticator?

philliplyle on 1 Feb 2019

@shashishailaj I am still seeing the issue sometimes (but not always) when I log in and it presents me with "We'll send a notification", but the notification is already sent. Specifically, this is happening when attempting to modify my MFA settings.

http://www.image-share.com/upload/3929/71.jpg

philliplyle on 4 Feb 2019

@shashishailaj I also want to confirm that removing and re-adding the authenticator on an account does NOT disable the passwordless experience. The websites will still act like a code is being pushed even though the phone does not display it. At this point there appears to be no mechanism I can see for turning this off once it is enabled on an account.

philliplyle on 6 Feb 2019

👍1

@philliplyle Thank you for your response Phillip . We may need fiddler trace and some other data to troubleshoot this further in order to come to a conclusion as to what exactly is happening behind the scene . Please email us at azcommunity [at] microsoft [dot] com so that we can put you through the right channel for further work on the same.

shashishailaj on 7 Feb 2019

@philliplyle We will be closing this issue now. Please tag me and email us at azcommunity [at] microsoft [dot] com to continue the conversation on this issue.
Thank you.

shashishailaj on 11 Feb 2019

Just a FYI, nobody responded at that email address.

We are turning off the preview experience because of the unresolved issues above.

No ability to disable Passwordless for a specific user when it is enabled in Authenticator.
Some logins send the Authenticator prompt immediately while still prompting the user to "Click Next to send the notification"
Seamless sign on leads to unnecessary notifications sent to the phone, confusing the user.

Posting for others - this is still not prime time.