MFA prompts delayed or never arriving

MSP Toolkit
Practical troubleshooting paths for MSP technicians dealing with real-world support failures.
Submitted by Anonymous (not verified) on

Field Summary

Delayed or missing MFA prompts can be a user device issue, a method registration issue, Conditional Access behavior, push notification delivery, or an identity provider service problem. The fastest path is to check sign-in logs and prove whether the prompt was generated, delivered, denied, or never required.

Common Symptoms

  • User waits for a push that never appears.
  • SMS or voice arrives late.
  • Authenticator works for one app but not another.
  • Sign-in page times out.
  • Problem affects one user, one device, or one geographic site.

Fast Triage

  1. Confirm the user has internet/cellular connectivity on the MFA device.
  2. Try an alternate registered method if policy allows.
  3. Check phone time/date and notification permissions.
  4. Capture sign-in timestamp, app, and location.
  5. Do not reset MFA until logs show method or registration failure.

Likely Causes

  • Push notifications disabled or delayed on phone.
  • Wrong default MFA method.
  • Authentication method registration incomplete.
  • Conditional Access requiring a method the user lacks.
  • User risk/sign-in risk block.
  • Provider or carrier delay for SMS/voice.

Tier 1 Fix Path

  1. Have the user open Authenticator directly and check for pending approval.
  2. Confirm notifications are allowed for the app.
  3. Use number matching carefully; make sure the user is approving the right sign-in.
  4. Try backup code/SMS/voice only if allowed by policy.
  5. Document whether prompt never appears or appears late.

Tier 2 / Admin Investigation

  1. Open Entra sign-in logs for the exact attempt.
  2. Review Conditional Access result, authentication requirement, and failure reason.
  3. Check registered authentication methods and default method.
  4. Review user risk, sign-in risk, disabled account state, and temporary access pass options if used.
  5. Check service health if multiple users report MFA delays.

Advanced Remediation

Require MFA re-registration when methods are stale or the device was replaced. Revoke sessions after method changes when old sessions are confusing testing. Use Temporary Access Pass only under approved client policy.

Verification

  • User completes MFA with the intended method.
  • Entra sign-in log shows success and expected CA policy result.
  • User can repeat sign-in from the affected app.

Ticket Notes to Capture

  • User, app, timestamp, method, device, sign-in log result, CA result, method changes, and verification.

Escalate When

  • CA policy design blocks valid users.
  • Multiple users see delayed prompts across methods.
  • Risk state or identity protection requires security review.

Prevention

Keep MFA registration campaigns paired with method review, backup method standards, and clear helpdesk steps for sign-in log evidence.

Subjects
Microsoft 365
Identity & MFA