After enabling MFA, user is locked in a confirmation_pending state

After globally enabling MFA, some users are locked in a “confirmation_pending” state, even after disabling MFA afterwards. ![alt text][1]

I then go to Actions > Reset Multi Factor, and the message above briefly goes away. After a few minutes, I refresh the page and it reappears. When the user attempts to log in using username-password authentication, Auth0 returns the following error:

[2017-10-11 19:22:36,527] ERROR Auth0 error message: User is not enrolled with guardian

The problem is, MFA is currently turned off. Is there any way to un-enroll this user? Even after deleting and recreating the user with the same email address, the confirmation_pending status comes back. Any ideas?

I’m not aware of any explanation for getting into that state, but if you haven’t done so already, I would recommend trying to perform an explicit deletion of that enrollment through Management API, in particular through the delete Guardian enrollment endpoint.

You can get the identifier of the enrollment in question by performing a previous call to get enrollments by user endpoint.