Share via

Microsoft authenticator app related issue

Dev Jeet 0 Reputation points
2026-03-03T08:25:44.32+00:00

How to deregister previously registered devices from Microsoft authenticator when my old devices are not available? I have recently bought a mobile handset as the previous one gone out of order or beyond use. Now I can't add my work profile account to Microsoft Authenticator, as it is showing that there are lot many devices registered with this ID. Now I do not have the old mobile devices to get those registered IDs deregistered from the previous devices. Kindly help.

Microsoft Security | Microsoft Authenticator
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-03T08:26:03.4466667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error occurs because the account already has the maximum number of authenticator app devices (five) registered. Old devices do not need to be physically available; the registrations must be removed from the account in Microsoft Entra ID.

    There are two supported ways to do this, both requiring help from the organization’s admin (Global Administrator) if the user is not an admin:

    1. Delete old authenticator sign-in methods in a browser Administrator (or another admin) must first require MFA re-registration for the user:
      1. In the Azure portal, go to Microsoft Entra ID.
      2. Under Manage, select Users.
      3. Select the affected user.
      4. Under Manage, select Authentication methods.
      5. Select Require re-register multifactor authentication.
      Then the user deletes old methods:
      1. Go to https://aka.ms/mysecurityinfo and sign in.
      2. In Security info, delete some or all existing Authenticator app sign-in methods (and any other unneeded methods) until fewer than five authenticator app devices remain.
      3. Add the Microsoft Authenticator app on the new phone as a sign-in method.
      If a passwordless sign-in method is configured, another two-factor method (for example, SMS or phone call) must be set up first to complete deletion of the passwordless method.
    2. Admin deletes authenticator registrations via Microsoft Graph A Global Administrator can remove the old authenticator registrations directly:
      1. Sign in to Graph Explorer as a Global Administrator.
      2. In the query area:
        • Set HTTP method to GET.
        • Use: https://graph.microsoft.com/beta/users/<user-principal-name>/authentication/microsoftAuthenticatorMethods (replace <user-principal-name> with the user’s UPN).
        • Run the query and, if prompted, grant UserAuthenticationMethod.ReadWrite.All permission.
      3. In the response, copy the id (GUID) for each authenticator method to be removed.
      4. For each id, run a DELETE query:
        • https://graph.microsoft.com/beta/users/<user-principal-name>/authentication/microsoftAuthenticatorMethods/<authenticator-id-guid>
      5. After the deletions succeed (HTTP 204 No Content), the user can register the Microsoft Authenticator app on the new phone.

    If there is no other admin and the only Global Administrator is locked out due to MFA, the tenant owner must contact Microsoft Support/Data Protection via phone to have MFA methods reset, as shown in the referenced Q&A cases.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.