Register an authentication method even though MFA is already configured

Question

Prompting to register an authentication method even though MFA is already configured with the Keeper app (Password Manager app) and a mobile number. This issue is currently appearing only for global admin accounts.

Answer 1

Hi @Hasitha Wickramasinghe, 

Thank you for your question on the Microsoft Q&A forum. 

Regarding the prompt to register an additional authentication method, even though MFA is already configured with the Keeper app and a mobile number: 

This behavior is expected and is by design for Global Administrator accounts. Microsoft Entra ID enforces stricter security requirements for privileged roles, including Global Admins. As part of this, Self-Service Password Reset (SSPR) and authentication policies require at least two supported authentication methods (such as SMS, Microsoft Authenticator, or Email). 

Third-party apps like Keeper are not recognized as valid authentication methods for SSPR or as a replacement for the Microsoft Authenticator app. Therefore, even if MFA appears configured, the system will continue to prompt for additional registration until the required supported methods are in place. 

You could refer to this article for a better view : Enable Microsoft Entra self-service password reset - Microsoft Entra ID | Microsoft Learn 

Thank you again for your time and understanding. While my initial response may not resolve the issue immediately, I’d like to gather more details about your situation so I can assist you more effectively.                

I really appreciate your patience, and I’m here to help. Looking forward to your response!                         

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment"

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread      

Answer 2

Global admin accounts can be prompted to register additional authentication methods even when MFA is already configured because Microsoft Entra ID evaluates all applicable authentication method and MFA/SSPR policies together. If any policy requires or allows additional methods for a user (for example, a Conditional Access policy requiring specific methods, or combined security registration being enforced), the user can be asked to add or confirm methods beyond what is already configured (such as Keeper or a phone number).

Key behaviors relevant to this scenario:

1. Independent authentication method policies
   • Authentication methods, legacy MFA, and legacy SSPR policies are managed independently and aren’t synchronized.
   • A user who is enabled for a method in any policy can register and use that method.
   • To prevent use of a method, it must be disabled in all policies.
   • As a result, if a policy requires or encourages registration of specific methods (for example, Microsoft Authenticator, passkeys, or phone), global admins may see prompts to register or confirm those methods even if they already have other MFA options configured.
2. Combined security registration and strong methods
   • Users are encouraged to register combined security info at https://aka.ms/mysecurityinfo so that MFA and SSPR methods are centrally managed.
   • For MFA-enabled users, at least one strong authentication method is required; depending on configuration, this can be enforced as email/SMS OTP, Microsoft Authenticator, passkeys, or other supported methods.
   • If an admin policy expects a specific strong method (for example, Microsoft Authenticator or passkey) and the user only has other methods (such as a password manager app OTP), the portal can prompt to register the required method.
3. Global admin–specific requirements
   • Global admins are high-value targets and are often subject to stricter Conditional Access and authentication method policies (for example, requiring specific methods like Microsoft Authenticator, passkeys, or phone-based MFA).
   • If those policies differ from standard users (for example, a separate group-based policy for admins), only global admins will see the extra registration prompts.
4. How to manage or adjust methods
   • Admins can centrally add or change authentication methods for a user in the Microsoft Entra admin center under Entra ID > Users > [User] > Authentication methods, including phone and email (email is for SSPR, not sign-in).
   • Users can manage their own methods at My Sign Ins | Security info (https://mysignins.microsoft.com/security-info), where they can add or remove methods such as phone, authenticator apps, or passkeys.
   • To reduce unnecessary prompts, review and align authentication method policies (Authentication methods policy, legacy MFA, and SSPR) so that required methods for global admins match what is actually needed.
5. Passkeys and additional methods
   • If passkeys (FIDO2) are enabled as an authentication method, users may be prompted to add a passkey. To do so, they must first sign in with MFA, then add a passkey from Security info by selecting Add sign-in method > Passkey and completing the registration flow.

In practice, resolving repeated prompts for global admins typically involves:

• Reviewing which authentication methods are enabled for admin groups in all relevant policies.
• Ensuring that required methods (for example, Microsoft Authenticator or passkeys) are registered for those admins via Security info.
• Removing or adjusting overlapping legacy policies if they are enforcing additional methods unnecessarily.

---

References:

• Manage authentication methods for Microsoft Entra ID
• Manage user authentication methods for Microsoft Entra multifactor authentication
• Migrate to Microsoft Entra multifactor authentication and Microsoft Entra user authentication
• Register a passkey (FIDO2)
• Tutorial: Add email strong authentication method registration to your Android app
• Use a screen reader to set up and troubleshoot multifactor authentication