Guest User New MFA Device

Question

Hi,

I ahve following Problem, On of my User changed is iPhone and have troubles with the MFA for some Tennat, whrer he is guest with our Account. On the new Phone he still has The Message, that he need the QR Code.

for his Normal account , its not a Problem, he can to it over his User Profil. He has still access to hsi old Phone

But he can't do it with the Guest account - i found follwing:

1. Login to https://myapplications.microsoft.com/ using your 'normal' tenancy credentials.
2. Select the profile badge for you (circle, top right), and select 'Switch organisation' to log into the guest tenancy you want to reconfigure. At this point if you don't have access to the current MFA authenticator device you will need to use 'login another way' to use SMS MFA for this login.
3. Now, in the guest tenancy, select your badge again, and select 'My Profile'. If you don't see 'My Profile', use the ellipsis (...) and select to leave the 'new experience'. When the page reloads, now you should find the 'My Profile' link under your badge.
4. On the profile page, right hand side, you should see 'Additional Security Verification'. This should get you to this page in the guest tenancy: https://account.activedirectory.windowsazure.com/Proofup.aspx
5. From there you should see options to (re)setup your Authenticator app (scan the QR code etc...). Don't forget to delete the registration for your old phone too.

When i press "Security Info" then the page open an still stand on "Loading"

How can the user reste his MFA in the guest tenant ?

Thank you

Answer 1

Hi @Friedrich Weiland

Thank you for posting your query on Microsoft Q&A.

Could you please confirm if the step you mentioned is working for the user? "At this point if you don't have access to the current MFA authenticator device you will need to use 'login another way' to use SMS MFA for this login."

Normally when a user changes their device they will need to enrol in MFA again, and if they cannot navigate to the "Security info" portal to do this, then an admin will need to take the action "Require user to re-register multifactor authentication".

This needs to be done for each individual tenant that the user is a guest in, as their MFA registration is unique to each tenant. The user may need to contact an admin in the guest tenant.

If the user still has access to the old phone but is having trouble reaching the Security info portal for a specific tenant they can hardcode the URL with the specific tenant id as follows - https://mysignins.microsoft.com/security-info?tenant=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

Do let me know if this helps or if you have any further queries, I would be happy to help!

Answer 2

Hello @Domooney-MSFT

I would like to build up on the subject mentioned above.

Indeed, I am facing the same kind of problem, as i recently changed my phone (and don't have any access to the old one).

I have been able to set up my mfa QR code for my "normal" account but I am unable to access my guest account as i don't know how i can "re" set-up my guest account mfa which is different but supposedly linked to the same email. It is a quite confusing as i cannot even leave the organization not having any alternative method to validate the process, and I obviously don't receive the notification on my "normal" account authentificator.

My admin asked me to ask the guest account organization, but they do not even use Microsoft Authentifcator, so i'm clearly lost.

Please let me know if something is unclear, thank you for your help !

Answer 3

Thank you for your prompt response, will try this way