![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 61%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
If the Microsoft Authenticator app is on a lost phone, the goal is to reset or revoke the existing MFA setup so a new device can be registered.
There are two main paths, depending on whether this is a work/school (Microsoft Entra ID) account and whether an admin is available.
- If this is a work or school account and an admin is available
Ask an Authentication Administrator or other Microsoft Entra admin in the organization to reset MFA for the account in the Microsoft Entra admin center:
- Admin signs in to the Microsoft Entra admin center at https://entra.microsoft.com.
- Go to Entra ID > Users.
- Select the affected user account.
- Select Authentication methods.
- Select Require re-register multifactor authentication.
This action removes existing Microsoft Authenticator registrations and other MFA methods listed (phone numbers, Authenticator apps, software OATH tokens). Next time sign-in occurs, the system will prompt to set up MFA again on a new phone.
If there are multiple registered sign-in methods and the user can still sign in via another method (for example SMS or phone call), the user can also clean up old Authenticator registrations directly:
- Go to https://aka.ms/mysecurityinfo.
- Review the list of sign-in methods.
- Delete the entries corresponding to the old Authenticator app/device.
- Add the new Authenticator app on the new phone when prompted.
- If this is a work or school account and there is no other admin
If the locked-out account is the only global/admin account in the tenant, an internal admin cannot reset MFA. In this case, a support ticket must be opened so Microsoft’s Data Protection team can reset MFA and restore access. This is done via Microsoft support channels (phone or support request) as shown in the referenced Q&A examples; once they reset MFA, sign in again and register the Authenticator app on the new device.
- If this is a personal Microsoft account
For personal accounts, the same principle applies: use an alternate sign-in method if available (SMS, email, etc.) to access security info and remove the old Authenticator method at https://aka.ms/mysecurityinfo. If no alternate method is available and full lockout occurs, contact Microsoft consumer support so the Data Protection or account recovery process can reset MFA.
In all cases, after MFA is reset or old methods are removed, sign in again and follow the prompts to add Microsoft Authenticator on the new phone.
References:
- Manage user authentication methods for Microsoft Entra multifactor authentication
- Can't set up MFA because five devices are already registered to use an authenticator app
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- Azure has blocked myphone number for SMS verification due to a “bad reputation” flag - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A