AAD: Change MFA device of admin

Jason Lee 181 Reputation points
2022-12-05T20:26:19.19+00:00

Hi,
I'm an admin for several AAD B2C tenants and I recently got a new phone so I'm trying to change the device registered for multifactor authentication on all the tenants. However, the option I usually use to do this is greyed out/disabled for only myself. How do I change the phone I use for MFA?
267382-image.png

I can still reset MFA settings for other users. I still have my old phone and can use it for MFA at the moment. I've searched for a solution online and unsuccessfully tried a few other suggestions like disabling Security Defaults or adding the Privileged Authentication Administrator (even though it shouldn't be necessary since I'm a Global Admin).

Thanks in advance!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2022-12-12T21:57:26.287+00:00

    @Jason Lee
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    Issue:

    As a Global Admin for several AAD B2C tenants, you recently got a new phone so you're trying to change the device registered for multifactor authentication on all the tenants, but the option to Require Re-register MFA is greyed out/disabled for your user. However, you're able to reset MFA settings for other users, and you still have your old phone and can use it for MFA at the moment.

    Solution:

    1. Get another Global Administrator on the tenant to click the Require re-register multifactor authentication button. If there is no other Global Administrator, just create a local account or invite another MS or AAD account you may have.
    2. Go to https://mysignins.microsoft.com/security-info, switch to the tenant you want to reset MFA for (the Organizations button at top right of screen), and to the Security Info tab. Find the problematic tenant and remove your old device. Next time you try to access the tenant in Azure Portal, you'll be prompted setup your MFA again. If you switched your phone, you'll want to go through every "Organization" in that list to remove your old phone.

    269730-image.png
    Delete security info from My Account

    If you have any other questions, please let me know.
    Thank you again for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2022-12-05T23:00:46.197+00:00

    You cant change that for yourself as an admin.
    Go here instead:
    https://account.activedirectory.windowsazure.com/Proofup.aspx

    and set as required for yourself.


  2. Jason Lee 181 Reputation points
    2022-12-08T23:05:54.227+00:00

    I just figured out two ways to get around this problem.

    1. Get another Global Administrator on the tenant to click the Require re-register multifactor authentication button. If there is no other Global Administrator, just create a local account or invited another MS or AAD account you may have.
    2. Go to https://mysignins.microsoft.com/security-info, switch to the tenant you want to reset MFA for (the Organizations button at top right of screen), and to the Security Info tab. Find the problematic tenant and remove your old device. Next time you try to access the tenant in Azure Portal, you'll be prompted setup your MFA again. If you switched your phone, you'll want to go through every "Organization" in that list to remove your old phone.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.