Introduction
Using the MS Authenticator application for Identity Verification means that the End User can use an already in place application for use with the CyberQP platform.
Symptoms
- When sending an MS Auth Identity Verification request, the screen immediately displays a DENIED message, or the MS Auth notification never arrives on the End User Device.
- When sending an MS Auth Identity Verification request, an SMS is sent instead of the Application pop up, or the MS Auth notification never arrives on the End User Device
Pre-requisites
See this KB on setup requirements:
How to setup Customer Identity Verification using MS Authenticator
Resolutions
- If getting an immediate Deny message or no MS Auth Push notification at all when sending an MS Auth Request
- Confirm that these 2 Azure/Entra Options are configured to allow End Users to Sign in
- Log in to the Azure/Entra Portal ( portal.azure.com )
- Search/Click Enterprise Applications
- At the top of the screen - a predefined filter for "Application Type == Enterprise Applications" shows up. Click the X to remove that from the Filter screen.
- Find Azure Multi-Factor Auth Client on the list - ensure that "Enabled for users to sign-in?" Toggle is set to YES on the Manage -> Properties screen
NOTE: Even if this is set to YES - set to NO and Save. Set back to Yes and Save. - Find Azure Multi-Factor Auth Connector on the list - ensure that "Enabled for users to sign-in?" Toggle is set to YES on the Manage -> Properties screen
NOTE: Even if this is set to YES - set to NO and Save. Set back to Yes and Save. -
Ensure that the Default Method of the MFA is set to "Notifications" as shown in these screenshots:
- Ensure that the Enterprise app is fully configured.
- Ensure that the customer on CyberQP dashboard is connected to the M365 ('Connect 365' option should be disabled) and is in an online status
Note: This does NOT apply to GDAP/CSP connected customers. - Login onto the Microsoft Azure portal via an account that has administrative privileges for the tenant and search for 'Enterprise Application' in the search bar
https://portal.azure.com/#home
- In the Enterprise Applications view, click on the 'Quickpass' or 'CyberQP' Application view. This is the application that will use the Microsoft Graph API. The Application ID in NA tenants is: 92ae02b7-9ca9-4b62-9130-a35011636a45,
- Expand 'Security' dropdown and click on 'Permissions' from the side menu
- Click on 'Grant admin consent' tile and sign-in with the required account
- In the Microsoft Permissions requested modal, click on 'Accept'
- A success banner displaying 'Admin consent was successfully granted' appears on the UI
- Viewing the Permissions after the increased permissions are assigned will show the following:
- Ensure that the customer on CyberQP dashboard is connected to the M365 ('Connect 365' option should be disabled) and is in an online status
- Confirm that these 2 Azure/Entra Options are configured to allow End Users to Sign in
Comments
0 comments
Please sign in to leave a comment.