This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I manage a multiple tenant Azure environment.
My Entra user object is registered for MFA - of course, using Microsoft Authenticator in my home tenant.
The same user is a guest user in all other tenants, that guest user is Global Admin in all tenants.
Therefore, one user is Global Admin in ALL tenants.
Because each tenant requires MFA, the same user object has multiple MFA relationships - one for its home and one for each guest tenant.
Currently, some of the other tenants are configured to use a third party authenticator, NOT Microsoft Authenticator.
I want to change all tenants so that my guest user MFA is associated with Microsoft Authenticator
When I sign into any non-home tenant I go through MFA as expected, using the third party auth app, I then go to "require re-register multifactor authentication" for my user (currently signed in as Global Admin!) there is a "delete operation failed" error with no more details, suggesting to try the operation again. CoPilot troubleshooting is not helpful.
If I follow the link to "Manage your other authentication contact information in your Access Panel Profile" in my Account, and then in https://myaccount.microsoft.com/
There is only one MFA "device" under My Account, "security info", which is for my home tenant.
None of the other tenant MFA config is available.
So the "My Account.Microsoft.com profile only reflects MFA for the home tenant, not any tenant under which my user is a guest.
How can I force MFA re-registration for my guest user in all tenants?
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello Sid Merrett,
This is expected behavior.
MFA for your account is stored only in the home tenant. In other tenants, your account exists as a guest, so there’s no separate MFA registration to manage.
Because of that, “require re-register MFA” in a non-home tenant fails with “delete operation failed”. The MyAccount page also shows only the MFA method from the home tenant, since there aren’t multiple MFA profiles per tenant for a guest user.
To update MFA, you need to reset or re-register it in the home tenant, or use https://aka.ms/mysecurityinfo. That update applies across all tenants.
If other tenants are prompting a third-party authenticator, check their Conditional Access policies and cross-tenant access settings, and enable trust for MFA from the home tenant.
MFA re-registration for a guest user can’t be triggered from a resource tenant; it has to be done in the home tenant.
Hello Sid Merrett,
Any update on this? Please confirm if you still have further queries on this.
I think the guest dir can’t reset mfa because it holds no anchor — only the home tenant does.” “reset once in home, then sign into each guest; if still blocked, their auth‑strength is overriding it.