Is Microsoft behaving illegally?

Question

I moved house approximately 15 months ago, it did not occur to me that I should change my contact number with Microsoft.

I have a replacement computer as the one that I bought proved faulty. The manufacturer suggested that I keep the SSD data and fit the chip into the replacement. This I did but when I switched on the new machine, it said that the sign in security code had to be reset. I went into my Microsoft/windows account and tried to reset it but Microsoft wanted to verify who I was.

A code was sent to the old telephone number (out of use) and there was no other method of verifying me. On another device I have changed my contact number but Microsoft says it will take a month to change this. So you have effectively denied me the use of my new computer! Can this be right, indeed can it even be legal?

Answer 1

Hi Bob,

This 30-day delay is intentional. It’s a security safeguard designed to protect users in case someone else tries to hijack their account by changing recovery info. The wait gives the rightful owner time to notice and stop unauthorized changes.

Unfortunately, this policy cannot be bypassed. You can read more about it directly from Microsoft here:

https://support.microsoft.com/account-billing/-your-security-info-change-is-still-pending-or-you-can-t-access-this-site-right-now-microsoft-account-message-cbd0f64f-02d9-45d2-90c3-2375e5a72e52#:~:text=While%20we%20understand%20this%2030,phone%20number%20or%20email%20address.

=================

The reason you couldn't use PIN is because, the local device security noticed the hardware change. PIN is device specific. When hardware is changed, PIN is not sufficient, hence it wants you to verify your Microsoft account instead.

If you must use your computer now, your only option, which is an honest answer to you, is that you perform a clean install, set it up with a different account for now. Wait 30 days, then link your current account back. By doing so, you do lose your files in the SSD, unless you have them backed up to OneDrive prior to this.

If this is the route you want to take, let me know. I can share the detail instructions.

Answer 2

That is all fine but I will need a step by step guide as how to do this by another device. I could possibly try to adjust the settings via this device but I am afraid that I will be locked out of this device also.

In passing I should say that in the UK a lot of medical messages are sent to me via messages or email and being 82 I cannot risk not receiving them.

Answer 3

Microsoft is enforcing its standard security protections, not acting illegally.

When a sign-in looks unusual (new device, hardware change, or long time since last sign-in), additional verification is required. If the only security info on the account is an old phone number, Microsoft will send the verification code there and block other changes until the security info update completes.

Key points from the documented behavior:

1. Verification must go to existing security info
   • Microsoft uses the email addresses and phone numbers already on the account to send verification codes and confirm identity.
   • If only an old phone number is on file, the code will go there. This is by design to prevent someone else from taking over the account simply by adding a new phone number or email.
   • See: “We’ll send a code to the email addresses listed on your account, and when you respond with the code, we know it’s really you.”
2. Alternate contact methods can be used, but must be verified
   • When prompted with “Let’s protect your account” / “Help us secure your account,” an alternate email or phone can be added, but it must be verified with a code sent to that alternate.
   • It does not have to be the user’s own number; any number or email that can be accessed can be used to receive the code.
3. Delays and blocks are expected in some scenarios
   • If there has been unusual activity, many attempts, or changes that look risky, Microsoft may temporarily block certain verification methods or sign-ins and ask to “Try another verification method.”
   • Microsoft explicitly notes that blocks and waiting periods (including up to several days) are normal security responses to protect accounts from takeover.
4. Using another phone number is allowed for unlocking
   • For some locked-account scenarios, any phone that can receive SMS can be used, even if it is not already associated with the account, and Microsoft states that this does not compromise account security.

These controls exist to protect the account and its contents from unauthorized access. They can be inconvenient—especially after changing phone numbers or devices—but they are consistent with Microsoft’s published security model and are not described as optional or negotiable.

To move forward within these constraints:

1. Use any accessible phone or email as an alternate verification method when prompted by “Help us secure your account,” then verify it with the code.
2. If blocked with “Try another verification method,” follow the documented guidance: try a different verification method on the account, switch networks, and avoid repeated attempts for 24 hours or more.
3. If the account is locked, follow the on-screen aka.ms link and complete the unlock process with a security code sent to a phone that can receive SMS.

The month-long delay for changing primary security info is part of this same protection model: it prevents someone who has just gained partial access from immediately replacing all contact details and locking out the rightful owner.

---

References:

• Microsoft account security info & verification codes
• Help us secure your account
• Troubleshoot Microsoft verification code issues
• Microsoft account has been locked
• Why is Microsoft texting me?