MFA registration question

HK G 516 Reputation points
2021-10-26T18:33:09.557+00:00

I use conditional access to trigger MFA for our Office 365 applications. I need some help with dealing this situation. Some users for some reason are unable to use their registered MFA method due to relocation\lost phone and etc. If I want them to add a new verification method, I thought I can disable MFA for their account by removing them from the conditional access rule and allow them to access the MFA registration portal. What I see is user indeed doesn't need to verify with MFA when access the applications, however, they are still being prompted for MFA when they try to access the MFA area. So this is kind of catch 22. I know I can require them to re-register MFA from the AAD portal. I wonder if this is only way to do that. Users will need to register all their MFA methods rather than just adding a new one.

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2021-10-27T08:47:01.653+00:00

    Hi @HK G • Thank you for reaching out.

    Yes, you are right. Users who are unable to use their registered MFA method, won't be able to add another MFA method without re-registering for MFA. You can require them to re-register MFA from the AAD portal or by using below PowerShell cmdlet (for bulk operation): 

    Connect-MsolService   
Set-MsolUser -UserPrincipalName username@your-tenant.onmicrosoft.com -StrongAuthenticationMethods @()

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest