If you’re not being to the MFA page in the production environment this could be due to several things. Some things to check:
- confirm if the tenant session session timeout in production is equivalent to development. If the production tenant has a really short session timeout this could be expiring between the user authenticated and you perform the step-up request.
- confirm that the authorization request is done in the same exact condition. Technically, it’s possible to force the login page to be shown even if an authenticated session already exists. For example, with
prompt=loginso this would always trigger the login page to be shown. - check that overall tenant and client configuration is equivalent. For example, at the tenant level check that both tenants have the same configuration for seamless sso and universal login experiences. At the client level check that both clients have the same configuration options set.
Finally, if still not working you should compare step-by-step the HTTP network trace (browser dev tools) of the login attempt in both environment in order to see if you notice any differences.