locked
Anyone seen "Verification request is not for an activated account” message on Authenticator app when using Azure MFA as second factor through ADFS 2016? RRS feed

  • Question

  • This is essentially a repost of Emile's post here. But I am experiencing the same issue after getting ADFS 2016 working with the Azure MFA connection and keen to know if others are. I have a single relying party enabled for MFA as a secondary factor and I get this issue. My test user has the app notification method set as their default MFA method.

    When I authenticate through ADFS 2016 using the app notification MFA method as a secondary factor, it displays this error: "Verification request is not for an activated account” in the Authenticator app on my phone after I hit Approve. Then if I let it timeout on the ADFS page and try again (by selecting the app notification method on the ADFS form), it works fine.

    All other authentication methods work through ADFS, even the app notification works on the second attempt. It just doesn't work on the first attempt. It's bizarre but I've tested it through WAP, directly to ADFS, with and without load balancing... the error is always consistent.

    Has anyone else seen this behavior or know what it is?

    Thursday, May 11, 2017 5:04 AM

Answers

  • As it turns out Microsoft were aware of the problem and have fixed it in their rollout of fixes to their environment in June. This won't be an issue for anyone in this scenario going forward.
    Monday, June 26, 2017 8:31 AM

All replies

  • We are also facing this issue. After some testing i have found that if the Authenticator maps the UPN when it has upper case alphabets you get the error  "Verification request is not for an activated account”. The reason being ADFS is always sending the attribute in lower case. this does not happen if i change the attribute to lower case. 

    I have asked MS support this question, lets see what they say and i will post the update 

    a. Why does ADFS always sends the UPN attribute in lowercase when the actual UPN has uppercase alphabets. 
    b. Why does is not error out on the second attempt and always errors out on the first attempt
    c. How does it matter to the authenticator app in which case the attribute is coming in. 
    Thursday, June 8, 2017 2:09 PM
  • As it turns out Microsoft were aware of the problem and have fixed it in their rollout of fixes to their environment in June. This won't be an issue for anyone in this scenario going forward.
    Monday, June 26, 2017 8:31 AM