MFA push notifications

Question

MFA push notifications

Bernard Lai 1

Hi, currently we’ve a user whereby the old phone were damage and can’t access anymore and had requested for a reset of MFA, we’ve tried revoke all the MFA session and re-register the MFA, after the re-register however when he login to portal.azure, the MFA push notifications still goes to his old device, how can we remove that and change to the new phone? The per-user MFA were disabled, need advice on this, thanks.

Gudivada Adi Navya Sri 21,080 Reputation points Moderator

2023-11-24T15:07:51.9733333+00:00

Hi @Bernard Lai

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?If the information helped address your question, please Accept the answer.
Gudivada Adi Navya Sri 21,080 Reputation points Moderator

2023-11-27T09:20:15.16+00:00

Hi @Bernard Lai

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know. Please remember to "Accept Answer" if answer helped you.

1 answer

Your answer

Gudivada Adi Navya Sri 21,080 Reputation points Moderator

2023-11-24T15:07:51.9733333+00:00

Hi @Bernard Lai

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?If the information helped address your question, please Accept the answer.
Gudivada Adi Navya Sri 21,080 Reputation points Moderator

2023-11-27T09:20:15.16+00:00

Hi @Bernard Lai

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know. Please remember to "Accept Answer" if answer helped you.

Answer 1

Gudivada Adi Navya Sri 21,080 Moderator

Hi@Bernard Lai

Thank you for posting this in Microsoft Q&A.

As I understand that one of the user phone where damage can’t access anymore and had requested for a reset of MFA.

Option1: After the re-register user need to set up their MFA just like a new user.

Follow below steps to reset MFA.

Sign into the Microsoft Entra admin center as a global administrator
Browse to Identity > Users > All users > Select user.
Select Authentication methods.
Click "Switch to the new user authentication methods experience".
Highlight the usable method associated to the redundant device and delete it.
Select Require re-register MFA, Click Yes, reset it to reset the user's MFA.

The next time the user logs in, they will need to set up their MFA just like a new user.

For your reference https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userdevicesettings#manage-user-authentication-options

Option2: Use a Temporary Access Pass create temporary Access Pass for that user ask them to login with Temporary Access Pass. A Temporary Access Pass is a time-limited passcode that user can use to sign in to your M365 account without old device. Once user logged in to portal. He himself can register for a new device and can delete the old device as well.

option3: Also, if user has backup of authenticate app settings refer to this link on how to restore it - https://support.microsoft.com/en-gb/account-billing/back-up-and-recover-account-credentials-in-the-authenticator-app-bb939936-7a8d-4e88-bc43-49bc1a700a40

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Bernard Lai 1 Reputation point

2023-11-20T07:35:07.4166667+00:00

Hi, unfortunately at point number 5, the old device is not listed there, thanks
Gudivada Adi Navya Sri 21,080 Reputation points Moderator

2023-11-20T08:17:52.91+00:00

Hi@Bernard Lai

As you said MFA have disabled to that user so you can enable MFA then to perform Require re-register MFA it deactivates the user's hardware OATH tokens and deletes the following authentication methods from this user: phone numbers, Microsoft Authenticator apps and software OATH tokens. If needed, the user is requested to set. This is enough to reset MFA.

You can see the old device in the image below.

Hope this helps. Do let us know if you any further queries.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Bernard Lai 1 Reputation point

2023-11-20T08:23:44.1933333+00:00

Hi, thanks for replying but as mentioned earlier we’ve tried that option, the user re-register everything and it works well, however when the user try to login to portal.azure.com the MFA push notifications were sent to the old device and not the new device, other site works good e.g https://aka.ms/mfasetup, this site will send the push notifications to new device, only when the user trying to login to portal.azure.com the push notification sent to the old device, hope this clarifies, thank you
Gudivada Adi Navya Sri 21,080 Reputation points Moderator

2023-11-21T16:46:04.3+00:00

Hi@Bernard Lai

I have tried to reproduce the same issue in my environment. After performing the Require re-register MFA for the user, the next time they log in, they will need to set up their MFA just like a new user. Regardless of the sites, the same device that was followed during MFA setup will receive notifications for authentication.

Would it be possible for user to try logging into ms.portal.azure.com in private mode or with a more up-to-date browser?

Share via

MFA push notifications

1 answer

Your answer