How Azure SSO and Two-Factor Authentication Works

Source: autosoft-workshop/app/controllers/sessions_controller.rb, company_setting.rb

When Azure SSO is enabled, normal password login is completely blocked — users must click the SSO button, password fields won't work
Azure SSO required setting is intentionally bypassed on the mobile app — mobile users can still log in with username/password even when SSO is enforced on web
OTP (one-time password) validation allows a 300-second (5-minute) drift window — codes slightly before or after the current time window are accepted
OTP delivery method: if the request param is truthy AND the user has a mobile number on file, OTP is sent via SMS; otherwise it falls back to email
2FA prompt is skipped entirely if the user recently validated, based on last_otp_time plus the configured expiration period
Enabling "Enforce 2FA" at the company level resets ALL users' OTP validity — every user must re-authenticate with 2FA on their next login
Disabling 2FA is blocked if Xero is connected — Xero integration forces 2FA to remain on for the entire company

"I can't log in with my password" → Azure SSO is enabled, user must use the SSO button instead of typing credentials
"My mobile app doesn't require SSO but the website does" → SSO enforcement is intentionally skipped on mobile
"My 2FA code isn't working" → code may be outside the 5-minute drift window, or user's device clock is significantly off
"I didn't get my 2FA code" → no mobile number on file so it went to email, or SMS delivery failed
"Everyone had to re-do 2FA today" → an admin toggled the Enforce 2FA setting, which resets all users
"Can't turn off 2FA" → Xero is connected to the company, which forces 2FA to stay enabled