![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 6%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
The error occurs because the account already has five authenticator apps or hardware tokens registered, which is the maximum allowed. Since the account is also the only admin, use one of the following approaches to break the deadlock.
- Try deleting sign-in methods in a browser
If sign-in is still possible (for example, via another MFA method like SMS or phone call):
- Go to https://aka.ms/mysecurityinfo.
- Review the list of sign-in methods (phone, authenticator app, etc.).
- Delete one or more authenticator app methods so that fewer than five remain.
- After that, add Microsoft Authenticator again on the new device.
If a passwordless sign-in method is configured and cannot be deleted, first set up another two-factor method (such as SMS or phone call), then use that method to sign in and delete the passwordless authenticator entry.
If there is another admin in the tenant, that admin should in Azure portal:
- Open Microsoft Entra ID → Users → select the user → Authentication methods.
- Select Require re-register multifactor authentication.
- Then the user can reconfigure MFA and remove old methods via https://aka.ms/mysecurityinfo.
- Use Microsoft Graph as Global Administrator
If sign-in as a Global Administrator is possible, the authenticator methods can be deleted via Microsoft Graph:
- Sign in to Graph Explorer as a Global Administrator.
- Run a GET request:
https://graph.microsoft.com/beta/users/<user-principal-name>/authentication/microsoftAuthenticatorMethods - From the response, copy the id (GUID) of each authenticator method to remove.
- For each id, run a DELETE request:
https://graph.microsoft.com/beta/users/<user-principal-name>/authentication/microsoftAuthenticatorMethods/<authenticator-id-guid> - After deleting enough methods, set up Microsoft Authenticator again.
- If completely locked out as sole admin
If no MFA method works and sign-in is impossible, and there is no other admin who can reset MFA, the tenant is in a lockout state. In this case, contact Microsoft support and request the Data Protection team to reset the admin’s MFA methods. This is the only way to regain access when the sole Global Administrator is locked out and cannot complete MFA.
References:
- Can't set up MFA because five devices are already registered to use an authenticator app
- How to add your accounts to Microsoft Authenticator
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- I cant log in to my business account because it is requiring Authenticator app which I do not have - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- I need to reset my mfa methods - Microsoft Q&A
- Troubleshoot problems with Microsoft Authenticator
- Common problems with two-step verification for a work or school account
- Authenticator Did Not Complete Login
- Microsoft Curate - Troubleshoot Multi-Factor Authentication (MFA)
- Install and use the Microsoft Authenticator app
- Single Credential Login and Multi-Factor Authentication FAQ