User pressed "Report" by accident in Auth app. At next login his MFA is blocked for good - even after MFA reset (receives "Unable to add account" or "QR code already used")

RaduOrleanu 1 Reputation point
2022-09-17T16:12:32.133+00:00

All this happened because the user receives duplicate notifications for login on in his Microsoft Authenticator App. The user pressed "Report" in the Microsoft Authenticator App by accident, but still managed to login correctly.
A couple of days later when he had to renew his authentication via the Microsoft Authenticator app he cannot use it anymore so he asked support for help.

The tenant support reset his MFA but now he is unable to set up MFA using Microsoft Authenticator because when scanning the QR code it returns "Unable to add account" or "QR code already used". He tried other auth apps (Google Authenticator etc.) and although they scan the QR code correctly, the generate code is recognized as being wrong every time by Azure during the MFA setup.

I looked it up online and it could be he was added to some list which keeps blocking his MFA setup attempts. Someone instructed me to look into Azure AD in Security > MFA > block/unblock users and see if he's listed there. Tennant support checked and he isn't in the list.

Is there anyone that had this problem ? Is there any solution or is the account blocked for good ?

Microsoft Security | Microsoft Authenticator
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 42,511 Reputation points
    2022-09-17T17:21:34.68+00:00

    Hi,

    Usually the reset from the console or portal should fix the issue however can you please follow the steps below to reset and unblock MFA in Azure Active Directory via Azure Portal and PowerShell.

    Using Azure Portal:

    Sign in to the Azure portal with the tenant Global Administrator account.

    Navigate to Azure Active Directory > Users > All users > Choose the user you wish to perform an action on > select Authentication methods > Require Re-register MFA.

    Once this is done, the next time the user signs in, he/she will be requested to set up a new MFA authentication method.

    Note: The user's currently registered authentication methods aren't deleted when an admin requires re-registration for MFA. After a user re-registers for MFA, we recommend they review their security info and delete any previously registered authentication methods that are no longer usable.

    Using PowerShell:

    Install the MSOnline PowerShell module.

    Run Connect-MSOLService and sign in with the Global Administrator account.

    Run Set-MsolUser -UserPrincipalName John.dave@Company portal .com -StrongAuthenticationMethods @() cmdlet to reset the MFA registration information.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.