Share via

My Sign-Ins: Can't remove old (or compromised) MFA method

Stefan Rickli 21 Reputation points
2022-08-06T14:56:12.173+00:00

So, being new to the Azure world, I tinkered around a bit with MFA, and it struck me that it seems that I can't delete a previously added authenticator-app (there are now two registered).

https://mysignins.microsoft.com/security-info

What if, for any reason, someone stole my phone, and they saw my screen unlock code? Or same with my OnlyKey (hardware password manager)?
I wouldn't be able to delete the compromised MFA method.

Also, even if there was a 'delete' button, at the moment I wouldn't know which entry to delete (see screenshot).

228804-image.png

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Sandeep G-MSFT 21,131 Reputation points Microsoft Employee Moderator
    2022-08-19T08:24:56.18+00:00

    @Stefan Rickli

    As per your work around another global admin can delete the MFA methods from within the Azure AD. Go to the User > Authentication Methods > Change to Preview Mode if in Legacy View, then you see a list of the user's MFAs. You can then delete the method in question.

    You had to create a temporary global admin user since my tenant had only one regular global admin aside from the emergency admin account (whose login details are in a bank vault).

    Also, now you are able to login to https://mysignins.microsoft.com/ without 2FA, and as soon as I access https://mysignins.microsoft.com/security-info I get prompted for 2FA, and the delete buttons are present.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adrian Tang 0 Reputation points
    2024-05-01T07:01:20.11+00:00

    This has happened to me in real life. My (lost) phone had been added as a legacy OTP device to my institutional account (nhs.net) BEFORE enrolling with the imminent corporate mandate to register for Azure MFA. None of the admins can now either find or remove my old phone and I keep getting asked for codes from this lost legacy device despite being "re-enrolled" for MFA. They can temporarily suspend MFA on my account, and when I go into My Signins I find no trace of my old android phone. But the account keeps asking me for verification codes from it. I cannot register my new phone as an Authenticator app based MFA device. Only as a FIDO2 device which does not currently work well with Android apps I have. Buying a USB FIDO2 fingerprint dongle is a possible workaround which I am working up to....

    0 comments
  2. Stefan Rickli 21 Reputation points
    2022-08-06T16:08:24.783+00:00

    For about 30mins after writing the initial post, I was able to login to https://mysignins.microsoft.com via the Azure AD portal user authentication method configuration and then browse to the menu in the screenshot above, and then there was a delete button.
    Same with logging in via https://myapplications.microsoft.com/ , then "Show Profile" > "Security information".

    But now for some reason, the button doesn't show anymore. Tried it using private browser sessions from Edge and Chrome - no luck anymore.

    I found a workaround though:
    Another global admin can delete the MFA methods from within the Azure AD. Go to the User > Authentication Methods > Change to Preview Mode if in Legacy View, then you see a list of the user's MFAs. You can then delete the method in question.
    I had to create a temporary global admin user since my tenant had only one regular global admin aside from the emergency admin account (whose login details are in a bank vault).

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.