Overview
When using the custom MFA enrollment feature in Actions, an error is seen for users:
An MFA enrollment was requested but the user is already enrolled in MFA. Challenge with at least one existing factor before enrolling a new one.
Applies To
- Actions
- MFA
Cause
For users with existing enrollment(s), it is enforced that the user must complete an MFA challenge on an existing enrollment before more can be added.
An exception to this is when an email factor is the only fact the user has enrolled it is not required to challenge a user’s email MFA when attempting to enroll another factor.
This is because Email MFA is not a true additional factor, and if enabled on the tenant, it is implicitly enrolled when the user verified their email address, through successfully completing an OTP challenge or processing an email verification/password reset flow.
Solution
If a user has one or more factors enrolled (with the exception of just Email MFA as the sole enrollment), an existing factor must be challenged first before any additional factors can be enrolled.
Before enrollWith or enrollWithAny methods can be used, the user must have successfully completed a challengeWith or challengeWithAny method call in a prior Action. Otherwise, the user will see an error screen with the message listed above.
For a code example of using consecutive actions to first challenge and then enroll a factor, see Sequenced and Contextual Flows.