![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 91%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Unrequested prompts in Microsoft Authenticator typically mean one of the following:
- Someone is trying to sign in to the account using the correct username and possibly a known or guessed password, and is being blocked at the second factor.
- Someone mistyped their email/phone when trying to sign in, and their attempts are hitting this account instead.
- A previously initiated sign-in or verification request is being delivered late.
For verification codes and sign-in prompts, Microsoft documents the same causes:
- A malicious attempt to access the account.
- Another user accidentally entering this email/phone.
- Delayed delivery of a previously requested code or prompt.
Because the prompts are still appearing after a password change, it is likely that attackers or mis-typed sign-ins are continuing to submit this username and triggering MFA challenges. As long as the prompts are denied and the attacker cannot complete the second factor, the account remains protected.
Recommended actions based on the documented guidance:
- Deny every request not initiated personally
- Always select Deny on any sign-in prompt or code that was not explicitly requested.
- Review recent sign-in activity
- Go to the Recent activity / My sign-ins view for the account and review sign-ins and MFA attempts.
- If unfamiliar activity is found, change the password again and ensure multi-factor authentication remains enabled.
- Strengthen sign-in and MFA
- Ensure two-step verification (multi-factor authentication) is enabled so that even if a password is guessed, it is not sufficient to access the account.
- Consider going passwordless (for example, using Microsoft Authenticator or other passwordless methods) to reduce reliance on passwords that can be guessed or phished.
- Ignore unrequested codes
- Do not respond to or enter any verification codes that were not requested. Without the correct response, an attacker cannot complete sign-in.
These steps align with Microsoft’s guidance for unrequested verification codes and sign-in prompts and help ensure the account remains secure even when repeated attempts are made from other locations.
References: