![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 55.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Based on the description, the account is in a 30‑day restricted state because all security info was removed and replaced. During this period, normal sign-in is not possible, even if the password is known. This restriction is by design and cannot be shortened.
When all security info is removed, the account is put into a restricted state for 30 days to protect against unauthorized changes. During these 30 days, the message "Your security info change is still pending" or "You can't access this site right now" appears, and access to the account is limited until the waiting period ends.
If the security info change was initiated personally, the only supported path is to wait for the 30 days to complete. If the change was not made personally and the account may be compromised, follow the guidance in the security-info-pending article to review the notifications sent to the original security info and use any available option there to cancel the change. If cancellation is not possible, the 30‑day wait still applies.
For sign-in loops involving Microsoft Authenticator, if there is no other verification method available (such as SMS, alternate email, or other security info that still works), the account remains bound by the same 30‑day restriction once all security info has been replaced.
References: