Share via

Issue with MFA

Matthew Politi 0 Reputation points
2026-03-10T19:09:55.3966667+00:00

I am having issues with MFA in general now. We have Duo set up using the External 2FA method. We followed everything correctly according to the Duo guide and your documentation, but whenever a new user is created, it continues to prompt Secure your account repeatedly. It does not matter which 2FA method is configured.

I have tried everything to stop this from happening. The only error that appears is: User authentication was blocked because they need to provide password reset information. Their next interactive sign-in will ask them for this, which the app should trigger next.

I checked the password reset settings, and the only available method shown is security questions. I turned off password reset, but the issue remains. I then enabled the authentication methods that are allowed since security questions are being removed, but nothing appears in the list. It simply shows that two methods are required, with security questions unchecked, and none of the authentication methods I added appear.

I do not want any of this configured. To test, I turned it off, and now I cannot even turn it back on. I am not sure what is going on. Everything works perfectly fine for existing users, but when a new user is created, this issue keeps happening repeatedly. What is odd I set it for Microsoft Authticator and it still does the same thing. I think something is wrong with password reset. Also when I load that page (https://portal.azure.com/#view/Microsoft_AAD_IAM/PasswordResetMenuBlade/~/AuthenticationMethods) it shows the whole list with some items checked and then boom only shows attached.

User's image

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rukmini 35,245 Reputation points Microsoft External Staff Moderator
    2026-03-10T19:41:24.16+00:00

    Hello Matthew Politi

    The problem arises because no legitimate authentication methods are available for new users to register, yet Self-Service Password Reset (SSPR) / security info registration is still enforced in Microsoft Entra ID. Because of this, new users are constantly asked to “Secure your account” and are prevented from signing in with an error message stating that they need to reset their password.

    As Duo Security uses External 2FA to handle MFA, make sure that either:

    • For SSPR, at least one authentication mechanism (such as Microsoft Authenticator, SMS, or Email OTP) is enabled, or
    • If the SSPR/security info registration campaign is not necessary, disable it.

    Existing users are unaffected because they already have security information registered.

    Let me know if any further queries - feel free to reach out!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.