M365 Basic Global Admin cannot receive second factor to add replacement phone to security info

Ravi Shah 20 Reputation points
2023-10-19T14:28:34.5066667+00:00

I had to replace my phone yesterday, but ran into a conundrum: when I need to access mysignins to update the Security Info to update Authenticator on the new phone I am prompted to approve the App request with the number or provide a code. I do have a backup device (an older iPad) but it does not support the latest Authenticator app update. Since I am the Global Admin I am only forced to use MFA to access the Security Info for my account - all other logins work fine. There are only two options for the two-factor prompt: Auth App number match or Auth App code. I have searched around M365 Admin Center and Entra Admin but I can't figure out how to clear/reset this for my account. I do not have Entra Premium. Thanks for any suggestions!

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2023-10-27T19:17:21.4033333+00:00

    @Ravi Shah

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Issue:

    I had to replace my phone yesterday, but ran into a conundrum: when I need to access mysignins to update the Security Info to update Authenticator on the new phone I am prompted to approve the App request with the number or provide a code. I do have a backup device (an older iPad) but it does not support the latest Authenticator app update. Since I am the Global Admin I am only forced to use MFA to access the Security Info for my account - all other logins work fine. There are only two options for the two-factor prompt: Auth App number match or Auth App code. I have searched around M365 Admin Center and Entra Admin but I can't figure out how to clear/reset this for my account. I do not have Entra Premium

    Solution:

    Good news. I worked around the limitation by:

    1. Temporarily elevating another M365 user to Global Admin that is already configured with MFA
    2. As the temp Global Admin, go to my account's MFA settings in M365 Admin Center
    3. Manage user settings in multi-factor authentication
    4. In Manage user settings, enable "Require selected users to provide contact methods again" After I logged in to my account I was able to edit Security info and re-establish Authenticator App pairing with the new phone. I may have been able to do it in Entra ID with the temp Global Admin, but this was less complicated and less likely to mess up the tenant :)
    • If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!


    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. JimmySalian-2011 42,511 Reputation points
    2023-10-19T17:41:14.8233333+00:00

    Hi,

    Can you check the steps listed here - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings#manage-user-authentication-options

    This should assist you to reset MFA for your account and also will advice you to setup a backup account - Breakglass account as a backup.

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.


  2. Ravi Shah 20 Reputation points
    2023-10-19T22:09:15.6433333+00:00

    Good news. I worked around the limitation by:

    1. Temporarily elevating another M365 user to Global Admin that is already configured with MFA
    2. As the temp Global Admin, go to my account's MFA settings in M365 Admin Center
    3. Manage user settings in multi-factor authentication
    4. In Manage user settings, enable "Require selected users to provide contact methods again"

    After I logged in to my account I was able to edit Security info and re-establish Authenticator App pairing with the new phone.

    I may have been able to do it in Entra ID with the temp Global Admin, but this was less complicated and less likely to mess up the tenant :)

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.