AAD: Change MFA device of admin

Question

Hi,
I'm an admin for several AAD B2C tenants and I recently got a new phone so I'm trying to change the device registered for multifactor authentication on all the tenants. However, the option I usually use to do this is greyed out/disabled for only myself. How do I change the phone I use for MFA?

I can still reset MFA settings for other users. I still have my old phone and can use it for MFA at the moment. I've searched for a solution online and unsuccessfully tried a few other suggestions like disabling Security Defaults or adding the Privileged Authentication Administrator (even though it shouldn't be necessary since I'm a Global Admin).

Thanks in advance!

Answer 1

@Jason Lee
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Issue:

As a Global Admin for several AAD B2C tenants, you recently got a new phone so you're trying to change the device registered for multifactor authentication on all the tenants, but the option to Require Re-register MFA is greyed out/disabled for your user. However, you're able to reset MFA settings for other users, and you still have your old phone and can use it for MFA at the moment.

Solution:

1. Get another Global Administrator on the tenant to click the Require re-register multifactor authentication button. If there is no other Global Administrator, just create a local account or invite another MS or AAD account you may have.
2. Go to https://mysignins.microsoft.com/security-info, switch to the tenant you want to reset MFA for (the Organizations button at top right of screen), and to the Security Info tab. Find the problematic tenant and remove your old device. Next time you try to access the tenant in Azure Portal, you'll be prompted setup your MFA again. If you switched your phone, you'll want to go through every "Organization" in that list to remove your old phone.

Delete security info from My Account

If you have any other questions, please let me know.
Thank you again for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

You cant change that for yourself as an admin.
Go here instead:
https://account.activedirectory.windowsazure.com/Proofup.aspx

and set as required for yourself.

Answer 3

I just figured out two ways to get around this problem.

1. Get another Global Administrator on the tenant to click the Require re-register multifactor authentication button. If there is no other Global Administrator, just create a local account or invited another MS or AAD account you may have.
2. Go to https://mysignins.microsoft.com/security-info, switch to the tenant you want to reset MFA for (the Organizations button at top right of screen), and to the Security Info tab. Find the problematic tenant and remove your old device. Next time you try to access the tenant in Azure Portal, you'll be prompted setup your MFA again. If you switched your phone, you'll want to go through every "Organization" in that list to remove your old phone.