MFA prompt appears during MSAL interactive token flow even though MFA is disabled

[viwod]

Describe the bug: The MFA prompt to install the Authenticator app appears even though the user's MFA requirement has been disabled. This occurs during the MSAL interactive token acquisition flow. We have checked to ensure that MFA for this user has been disabled via three methods:

1. Navigating to per-user MFA settings, the user has multi-factor authentication set to disabled
2. Within Entra ID -> Overview -> Properties -> Security defaults are disabled for this user as they are targeted by a conditional access policy
3. Within the access controls for the conditional access policy targeting this user, the only control enforced is the requirement of an app protection policy. The user is already targeted by a valid app protection policy for the app.

To Reproduce Steps to reproduce the behavior:

1. loginAndEnrollAccount() for user
2. Intune SDK displays prompt to restart app to apply app protection policies
3. App restarts
4. Attempt to acquire MSAL token silently
5. Receive interaction required error, initiate interactive token acquisition via acquireTokenInteractively()
6. Enter account credentials on Microsoft page that appears
7. MFA prompt (in attached image) appears. (Error code 50127)

Expected behavior: Allow interactive token acquisition to proceed without requiring Authenticator app interaction.

Screenshots and logs:

Smartphone (please complete the following information):

• Device: iPhone 13
• OS: iOS 17.4.1

Intune App SDK for iOS (please complete the following information):

• What version of the Intune SDK are you using? Are you using the latest version? -> Yes, version 19.3.1

• What platform is your app based in (native, Xamarin based, Cordova, etc)? -> native

• For errors during build, does the app build without Intune SDK integration? -> N/A

• For errors post build, does the app launch without being Intune SDK integrated? -> N/A

• Who is the customer? -> N/A

• Do you see a trend with it only being reproduced on a specific device? -> Easily reproducible with test account

Additional context: Add any other context about the problem here.

[pmod2]

Thanks for reaching out. Kindly contact me directly at my email address priyankamodi@microsoft.com to provide additional details that might include Personally Identifiable Information (PII), which may not be suitable for public disclosure.

1. Intune Logs
2. Intune Diagnostic Logs
3. Application ID
4. Fiddler trace of repro
5. Video recording of the repro.
6. User ID:
7. Intune Device ID: