SharePoint and MFA Re-Auth Loop RRS feed

  • Question

  • Hi There,

    We've seen many users in our org. describe a problem with the SharePoint iOS app, and on every device we've tested this issue is occurring. Here's what we've observed:

    1. The user launches the SharePoint iOS app, which triggers the Microsoft Authenticator app to authenticate.
    2. After the MFA prompt is approved the SharePoint app reappears, but immediately re-triggers the Microsoft Authenticator app to re-authenticate.
    3. This loop will continue unless you don't approve the MFA prompt, and instead hit the button in the upper-right hand corner to drop back to the SharePoint app.
    4. The user can navigate around the application fine for a short while, but certain actions inside the app start the loop again (e.g. viewing contact/profile information)

    This issue has been occurring for at least 1 month. I have tried re-installing the SharePoint app, re-installing the Microsoft Authenticator app, using the 'clear account settings' option in the iOS/SharePoint app settings, and the issue persists. Other Office 365 apps (OneNote, OneDrive, Teams, Planner, Excel, PowerPoint, Word, etc.) do not have this issue.

    Has anyone experienced this issue before, or is anyone currently experiencing this issue? I was surprised, given how easily we've been able to replicate the problem, that I didn't find more similar reports after some brief Google-Fu.

    Thursday, February 27, 2020 8:29 PM

All replies

  • Following here.  We have the same issue with a high-profile user.  We've uninstalled the app, uninstalled authenticator, we've removed Company Portal, we removed all iOS configurations and policies.  We have no variables left.  The app flaps between authenticator and SP, in very annoying loops.

    Following for any fixes or ideas on what may be root cause...

    Monday, March 2, 2020 4:53 PM
  • We are having a similar issue, although not with SharePoint but with ADFS using MFA. I have traced the traffic and this is what I see, when it fails.

    1. User triggers MFA through ADFS.

    2. User gets Authenticator Prompt.

    3. User accepts.

    4. The connection is dropped.

    This happens whether on the company network or on a mobile network like ATT, although I can't trace the mobile traffic as well since the traffic isn't going through my router and firewall.

    In Azure I see an error for Phone Busy in the logs. But it happens on multiple phones on different networks etc. Has to be an issue with the MFA service I am thinking. Just started happening about two weeks ago.

    Seems to happen on about 50% of the requests. The other 50% go through without issue and I see the response while sniffing the Firewall.

    • Edited by incendy Monday, March 2, 2020 5:35 PM
    Monday, March 2, 2020 5:33 PM
  • We are seeing the same thing as well, but with Symantec VIP joined to Azure.

    Sharepoint application on IOS launches up, user logs in, enters MFA, sees Sharepoint, then loops.

    Azure sign ins show a success event.

    Then 10-40 seconds later a MFA failure under conditional access.

    Friday, March 27, 2020 5:14 AM
  • yeah so far sounds like its mostly affecting iOS devices, now Steve has the same issue as well at home.

    Sharepoint Administrator

    Sunday, March 29, 2020 9:24 PM
  • Hi Jim,

    I recognize your name from my other thread that received the 'you're not posting in the correct forum' treatment. We did some additional testing today and found that the re-auth loop eventually stops if you let it go for about 45 seconds - 1 minute. If the phone is restarted or the app is force closed, this happens again the next time it is opened.

    We're thinking that it's not properly caching the MFA token and as it initially loads sites, it's re-authing for each of them, and eventually stops when it's authenticated against each resource.

    Wednesday, April 1, 2020 7:00 PM
  • Hi All,

    Not sure how many will see this, or if this will also apply to those experiencing this issue, but we were able to resolve this in-house. In Azure > Enterprise Applications, we found the Microsoft People Cards Service had an invalid character (a leading &) in the ID. After updating the application registration, this issue went away. This was also causing an issue in our organization where OWA would fail to load contact details, either contextually when hovering over someone's avatar, or when using the People pane. This issue is also now resolved. 

    Hopefully someone find this helpful.

    Wednesday, June 17, 2020 4:15 PM