Loop with Authenticator + Basic Authentication

Question

Hi all,

I'm trying to login to my azure portal with my admin account, even though the MFA authentication via app is setup in my profile, It won't let me login and asks for Phone and other method's which are in conflict with the " block basic authentication prompts" and therefore I cannot login anymore.

I think is is the reason why the lock is been initiated, Somehow Microsoft doesn't recognise my account has the MFA already activated, and pushes for basic authentication, which is blocked by the following policy. Which is irreversible by the way, and now I' m not able to login at all...When you go to the link in this page you' ll get no policies and a message "we are sorry but we are not accepting new preview customers at this time "

Answer 1

@Domic Vo thank you for your elaborate response, and yes I’m aware of the situation. Just hoped that there might be another solution. I asked another global admin to create a new account. And the same thing occurred now I’m scared that this will happen to the rest of the admins as well.. bc with the new account I also get the same issue.. I cannot open a support case with Microsoft directly since I need to have a working admin account and that is in the loop 😭 hence my challenge. I’ll try to call Microsoft tomorrow during business hours..

Answer 2

Hello Marthine Ruitenberg,

This issue is not related to Windows for Business or Windows 365 Enterprise. What you are running into is entirely within the Microsoft 365 identity and authentication stack, specifically Azure AD (now Entra ID) and the policies applied to modern authentication.

The “Block basic authentication prompts” policy you enabled is designed to prevent legacy authentication flows that rely on username/password prompts. Once enforced, any attempt to sign in using basic auth is blocked outright, and users cannot override it. The problem here is that your account is being forced into a fallback authentication method that still relies on basic auth prompts, even though you already have MFA configured. That mismatch is why you’re locked out.

The fact that you’re seeing requests for phone or alternate methods despite having the Authenticator app registered suggests that your primary MFA method is either not being recognized or is not set as the default in Azure AD. When basic auth is blocked, the system cannot fall back to those insecure prompts, so the login fails.

The only way to reverse or adjust this is through the Microsoft 365 Apps Admin Center or directly in the Entra ID portal, but as you’ve noticed, the policy is irreversible from the user side once enforced. If you are completely locked out of the tenant, you’ll need another Global Admin account that is not affected by this policy to sign in and either adjust the MFA methods for your account or temporarily disable the enforcement. If you do not have another admin account, you’ll need to open a support case with Microsoft directly, as tenant-level lockouts caused by authentication policy misconfiguration cannot be bypassed manually.

To summarize: this is an Azure AD / Microsoft 365 authentication policy issue, not a Windows client or Windows 365 Enterprise issue. The resolution requires either another unaffected admin account or Microsoft Support intervention to restore access.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Domic Vo.