M365 Basic Global Admin cannot receive second factor to add replacement phone to security info

Question

I had to replace my phone yesterday, but ran into a conundrum: when I need to access mysignins to update the Security Info to update Authenticator on the new phone I am prompted to approve the App request with the number or provide a code. I do have a backup device (an older iPad) but it does not support the latest Authenticator app update. Since I am the Global Admin I am only forced to use MFA to access the Security Info for my account - all other logins work fine. There are only two options for the two-factor prompt: Auth App number match or Auth App code. I have searched around M365 Admin Center and Entra Admin but I can't figure out how to clear/reset this for my account. I do not have Entra Premium. Thanks for any suggestions!

Answer 1

@Ravi Shah

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

• Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

Issue:

I had to replace my phone yesterday, but ran into a conundrum: when I need to access mysignins to update the Security Info to update Authenticator on the new phone I am prompted to approve the App request with the number or provide a code. I do have a backup device (an older iPad) but it does not support the latest Authenticator app update. Since I am the Global Admin I am only forced to use MFA to access the Security Info for my account - all other logins work fine. There are only two options for the two-factor prompt: Auth App number match or Auth App code. I have searched around M365 Admin Center and Entra Admin but I can't figure out how to clear/reset this for my account. I do not have Entra Premium

Solution:

Good news. I worked around the limitation by:

1. Temporarily elevating another M365 user to Global Admin that is already configured with MFA
2. As the temp Global Admin, go to my account's MFA settings in M365 Admin Center
3. Manage user settings in multi-factor authentication
4. In Manage user settings, enable "Require selected users to provide contact methods again" After I logged in to my account I was able to edit Security info and re-establish Authenticator App pairing with the new phone. I may have been able to do it in Entra ID with the temp Global Admin, but this was less complicated and less likely to mess up the tenant :)

• If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

I hope this helps!

---

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Answer 2

Hi,

Can you check the steps listed here - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings#manage-user-authentication-options

This should assist you to reset MFA for your account and also will advice you to setup a backup account - Breakglass account as a backup.

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 3

Good news. I worked around the limitation by:

1. Temporarily elevating another M365 user to Global Admin that is already configured with MFA
2. As the temp Global Admin, go to my account's MFA settings in M365 Admin Center
3. Manage user settings in multi-factor authentication
4. In Manage user settings, enable "Require selected users to provide contact methods again"

After I logged in to my account I was able to edit Security info and re-establish Authenticator App pairing with the new phone.

I may have been able to do it in Entra ID with the temp Global Admin, but this was less complicated and less likely to mess up the tenant :)