Authentication on Azure AD with MFA doesn't work, keeps asking MFA code

[igordust]

As per the subject, the authentication with Azure AD with MFA enabled doesn't work, it's asking the MFA code indefinitely. I attach a debug session.

$ saml2aws --version
2.36.6

saml2aws login --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/zzzzz/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/zzzzz/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/zzzzz/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://account.activedirectory.windowsazure.com"
DEBU[0000] Get credentials                               helper=osxkeychain user=zzzzzz
To use saved password just hit enter.
? Username zzzzzz
? Password

DEBU[0001] building provider                             command=login idpAccount="OMIT"
Authenticating as zzzzzz ...
DEBU[0002] processing ConvergedSignIn                    provider=AzureAD
DEBU[0002] HTTP Req                                      URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
DEBU[0002] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
DEBU[0002] processing a 'hiddenform'                     provider=AzureAD
DEBU[0002] HTTP Req                                      URL="https://device.login.microsoftonline.com:443/" http=client method=POST
DEBU[0003] HTTP Res                                      Status="200 OK" http=client
DEBU[0003] processing a 'hiddenform'                     provider=AzureAD
DEBU[0003] HTTP Req                                      URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
DEBU[0003] HTTP Res                                      Status="200 OK" http=client
DEBU[0003] processing ConvergedTFA                       provider=AzureAD
DEBU[0003] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 64
DEBU[0004] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client
DEBU[0005] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
DEBU[0007] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0007] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0009] HTTP Res                                      Status="200 OK" http=client
DEBU[0010] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0010] HTTP Res                                      Status="200 OK" http=client
DEBU[0011] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0012] HTTP Res                                      Status="200 OK" http=client
DEBU[0013] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0014] HTTP Res                                      Status="200 OK" http=client
DEBU[0015] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0015] HTTP Res                                      Status="200 OK" http=client
DEBU[0016] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0016] HTTP Res                                      Status="200 OK" http=client
DEBU[0017] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0018] HTTP Res                                      Status="200 OK" http=client
DEBU[0019] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0019] HTTP Res                                      Status="200 OK" http=client
DEBU[0020] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0020] HTTP Res                                      Status="200 OK" http=client
DEBU[0020] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0020] HTTP Res                                      Status="200 OK" http=client
DEBU[0021] processing ConvergedTFA                       provider=AzureAD
DEBU[0021] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0022] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 13
DEBU[0022] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0023] HTTP Res                                      Status="200 OK" http=client
DEBU[0024] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0025] HTTP Res                                      Status="200 OK" http=client
DEBU[0026] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0026] HTTP Res                                      Status="200 OK" http=client
DEBU[0027] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0028] HTTP Res                                      Status="200 OK" http=client
DEBU[0028] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0028] HTTP Res                                      Status="200 OK" http=client
DEBU[0028] processing ConvergedTFA                       provider=AzureAD
DEBU[0028] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0029] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 25
DEBU[0029] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0030] HTTP Res                                      Status="200 OK" http=client
DEBU[0031] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0032] HTTP Res                                      Status="200 OK" http=client
DEBU[0033] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0033] HTTP Res                                      Status="200 OK" http=client
DEBU[0034] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0035] HTTP Res                                      Status="200 OK" http=client
DEBU[0036] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0036] HTTP Res                                      Status="200 OK" http=client
DEBU[0037] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0038] HTTP Res                                      Status="200 OK" http=client
DEBU[0038] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0038] HTTP Res                                      Status="200 OK" http=client
DEBU[0038] processing ConvergedTFA                       provider=AzureAD
DEBU[0038] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0039] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 61
DEBU[0039] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0039] HTTP Res                                      Status="200 OK" http=client

After the third MFA code request I stopped, but as you can see, something fails silently in the MFA check, apparently.
Unfortunately, I don't have any control on Azure AD configuration, so I can't supply further details on it. Is there a way to gather additional information from my side?

[marevers]

Having the same issue currently. We experienced a different error when using a prior version (2.36.4). Upgraded to 2.36.10 and now the behavior is the same as described. It keeps asking for the code, even after entering a correct code.

[Kiroha]

Hello,

We've encounter the same problem today in our company. We need to disable the MFA for the enterpriseapp to let the saml2aws continue to work. I think Microsoft change something on their side and the rollout is not the same for all tenants.

[JixPo]

Hi there,

We are facing this issue for all users here from today. It seems we already had a few occurences starting 2 weeks ago.

saml2aws up to date ;-)

[ikorchynskyi]

Having the same issue with the latest 2.36.13 version. It keeps asking for the code after accepting the previous one:

$ saml2aws login --disable-keychain -a ******** --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/********/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/********/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/********/.aws/credentials pkg=awsconfig
Using IdP Account ******** to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username ********
? Password ********

DEBU[0005] building provider                             command=login idpAccount="********"
Authenticating as ******** ...
DEBU[0008] processing ConvergedSignIn                    provider=AzureAD
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0009] HTTP Res                                      Status="200 OK" http=client
DEBU[0010] processing ConvergedTFA                       provider=AzureAD
DEBU[0010] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 31
DEBU[0011] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
DEBU[0023] processing ConvergedTFA                       provider=AzureAD
DEBU[0023] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0024] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 50
DEBU[0031] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0032] HTTP Res                                      Status="200 OK" http=client
DEBU[0032] processing ConvergedTFA                       provider=AzureAD
DEBU[0032] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0033] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 59
DEBU[0033] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0033] HTTP Res                                      Status="200 OK" http=client
^C

[mendhak]

Did anyone find a solution to this? Some of us are getting stuck in the same loop, it happens with push authentication as well as TOTP. We can't figure out what the common factor is between us.

[Kiroha]

Did anyone find a solution to this? Some of us are getting stuck in the same loop, it happens with push authentication as well as TOTP. We can't figure out what the common factor is between us.

On our side, we roll back the conditional access in Azure to standard MFA and not the new MFA level

[Bozz95]

Looking forward to hearing about the closure of this issue as I really need it.

[sebd23]

I have the same issue. saml2aws version : 2.36.16. Is there any solution ?

[rohanpower]

+1

[paokrab]

+1

[ioanvapi]

+1

[gmcmillan82]

+1

[Pedro-Luzzi]

+1