Asking for MFA When Disabled On Account

Question

Have a user with an account that suddenly started asking for MFA via Authenticator when MFA is disabled. User unable to regain access, unable to reset password, or change any MFA settings to add the account to their Authenticator app. One log stated account was locked due to too many failed attempts and directed to reset password but that is now a never-ending loop to resolve. Selecting can't use app is of no help as it goes right to approve on app or get a code from the app. Again, a loop can't resolve.

Answer 1

Hey there! It sounds like your user is stuck in an endless MFA loop—even though you believe MFA is turned off—which usually means there’s some other enforcement (Security Defaults, Conditional Access, per-user MFA or the “Admin portals must use MFA” rule) kicking in behind the scenes. Here’s a plan to get them back in:

1. Find out what’s really enforcing MFA • In the Azure portal go to Azure Active Directory > Monitoring > Sign-ins • Filter on the user and open the latest “Interrupted” or “Failure” entry • Under the Authentication Details tab check “Authentication policies applied.” – If you see Security Defaults, that can’t be scoped per user (you’d have to turn it off tenant-wide) – If you see a Conditional Access policy, open it or run the “What-if” tool to see why that user is in scope – If it’s “App requires multifactor authentication,” it might be the Azure/Entra Admin portals enforcement
2. Verify per-user MFA status • In Azure AD admin center go to Users > Multi-factor authentication > ensure your user is Disabled here • If it’s Enabled, click Disable to clear it out
3. Clear their stale methods and force re-registration • In Azure AD go to Users > [your user] > Authentication methods • Under “Require re-register MFA” turn that on. This deletes their old Authenticator registration. • Ask the user to log in again (they’ll see the fresh registration flow).
4. Give them a password reset that doesn’t trigger MFA • In Azure AD go to Users > [your user] > Reset password • Ensure Self-Service Password Reset (SSPR) is configured with at least one non-MFA method (email or SMS) so they can break out of the loop
5. If it’s Conditional Access or Admin-portal MFA • Edit or temporarily disable the policy for that user (or create an exclusion group) • Use a “break-glass” Global Admin account that you’ve excluded from CA to sign in and fix settings

Bonus Trick (PowerShell):

You can also remove all their auth methods in bulk with Remove-AzureADUserAuthenticationMethod and then let them re-add phone or authenticator.

Hope this gets them unstuck—once they’re back in you can fine-tune your CA or Security Defaults settings so it doesn’t happen again!

Reference docs

• Resolve MFA failures & force re-registration: https://learn.microsoft.com/entra/identity/authentication/howto-mfa-userstates#reset-mfa-methods

• Troubleshoot MFA prompts & determine source: https://learn.microsoft.com/entra/identity/conditional-access/what-if-tool

• Security Defaults overview: https://learn.microsoft.com/entra/fundamentals/security-defaults

• Mandatory Admin portal MFA: https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet

• Self-Service Password Reset setup: https://learn.microsoft.com/entra/identity/authentication/howto-registration-mfa-sspr-combined

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

Answer 2

The behavior indicates that Microsoft Entra multifactor authentication is still enforced for the user, and repeated failed attempts have likely triggered account lockout protection. Because the only configured verification method is Microsoft Authenticator, the user is stuck in an MFA loop.

Use the following steps depending on role and situation:

1. Wait out lockout and try alternate MFA methods (if any exist)
   • Microsoft Entra multifactor authentication can block sign-ins after many failed attempts. The user should wait and then try again.
   • If the user has more than one verification method configured (phone call, SMS, other app), sign in again and select a different verification method on the sign-in page.
   • If text or call are blocked by a third-party security app on the device, temporarily disable that app and request another MFA code.
2. If the user still cannot receive any MFA prompt or code
   • Follow the end-user troubleshooting guidance for two-step verification issues, including checking for silent notifications, ensuring the authenticator app is updated, and verifying network connectivity and device time settings.
   • If the user repeatedly sees “Authentication did not complete,” verify:
     • Microsoft Authenticator is unlocked.
     • Notifications are enabled and not silenced.
     • The app is on the latest version.
     • The device has a working network connection.
3. Admin reset of MFA for the affected user
   • An administrator in the tenant must reset the user’s MFA registration so the user can re-register methods:
     1. Sign in to the Microsoft Entra admin center as a Global Administrator or appropriate admin.
     2. Go to Identity → Users → All users.
     3. Select the affected user.
     4. Open Authentication methods.
     5. Select Require re-register multifactor authentication.
   • After this, the next successful sign-in will force the user through MFA registration again, allowing a fresh setup of Microsoft Authenticator or another method.
4. If the locked-out user is an admin and no other admin can help
   • If the affected account is the only Global Administrator and cannot sign in due to MFA, contact Microsoft support and request escalation to the Data Protection team to reset MFA on the tenant admin account. This is the documented path when no other admin exists to perform the reset.
5. If repeated sign-in attempts continue to fail
   • Because Entra MFA detects repeated attempts and may block further sign-ins, avoid continuous retries. Wait before trying again or use a different verification method if available.
   • If malicious activity is suspected or logs show unusual behavior, an IT administrator should review Microsoft Entra sign-in logs and take appropriate security actions.

In summary, resolving the loop requires an admin-driven reset of the user’s MFA registration (Require re-register MFA). If no other admin exists, the tenant admin must work with Microsoft support/Data Protection to regain access and then reset MFA.

---

References:

• Common problems with two-step verification for a work or school account
• Frequently asked questions about Microsoft Entra multifactor authentication
• Troubleshoot problems with Microsoft Authenticator
• Reset Personal Azure MFA - Microsoft Q&A
• I need to reset my mfa methods - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A