This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 96%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi Microsoft Community,
I have a concern regarding the security features in Microsoft accounts, particularly related to Multi-Factor Authentication (MFA).
As I understand, when adding a new MFA method to our Microsoft accounts, it's possible to do so without being prompted to re-verify the existing MFA. This raises a security question in my mind.
In the scenario where a user account is compromised, and the attacker has already established access using MFA, there seems to be a potential risk. In case an attacker gains access through methods like AITM attacks, they could add an additional MFA method, thereby maintaining persistence.
I would like to inquire if there is an option or setting that can be enabled to ensure that when users add an additional MFA, they are prompted to reconfirm with any of the existing MFA methods. This additional layer of security would be valuable in preventing maintaining persistence.
Your insights and guidance on this matter would be greatly appreciated. Thank you for your time and assistance.
Changing any authentication method does require additional verification, and if we're talking about Entra ID/Microsoft 365 accounts, you can also configure restrictions as to the initial MFA registration, or configure additional controls such as require a TAP. See for example this article: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-registration