My Sign-Ins: Can't remove old (or compromised) MFA method

Stefan Rickli 21 Reputation points
2022-08-06T14:56:12.173+00:00

So, being new to the Azure world, I tinkered around a bit with MFA, and it struck me that it seems that I can't delete a previously added authenticator-app (there are now two registered).

https://mysignins.microsoft.com/security-info

What if, for any reason, someone stole my phone, and they saw my screen unlock code? Or same with my OnlyKey (hardware password manager)?
I wouldn't be able to delete the compromised MFA method.

Also, even if there was a 'delete' button, at the moment I wouldn't know which entry to delete (see screenshot).

228804-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,066 questions
{count} votes

Accepted answer
  1. Sandeep G-MSFT 19,761 Reputation points Microsoft Employee
    2022-08-19T08:24:56.18+00:00

    @Stefan Rickli

    As per your work around another global admin can delete the MFA methods from within the Azure AD. Go to the User > Authentication Methods > Change to Preview Mode if in Legacy View, then you see a list of the user's MFAs. You can then delete the method in question.

    You had to create a temporary global admin user since my tenant had only one regular global admin aside from the emergency admin account (whose login details are in a bank vault).

    Also, now you are able to login to https://mysignins.microsoft.com/ without 2FA, and as soon as I access https://mysignins.microsoft.com/security-info I get prompted for 2FA, and the delete buttons are present.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Stefan Rickli 21 Reputation points
    2022-08-06T16:08:24.783+00:00

    For about 30mins after writing the initial post, I was able to login to https://mysignins.microsoft.com via the Azure AD portal user authentication method configuration and then browse to the menu in the screenshot above, and then there was a delete button.
    Same with logging in via https://myapplications.microsoft.com/ , then "Show Profile" > "Security information".

    But now for some reason, the button doesn't show anymore. Tried it using private browser sessions from Edge and Chrome - no luck anymore.

    I found a workaround though:
    Another global admin can delete the MFA methods from within the Azure AD. Go to the User > Authentication Methods > Change to Preview Mode if in Legacy View, then you see a list of the user's MFAs. You can then delete the method in question.
    I had to create a temporary global admin user since my tenant had only one regular global admin aside from the emergency admin account (whose login details are in a bank vault).

    0 comments No comments

  2. Adrian Tang 0 Reputation points
    2024-05-01T07:01:20.11+00:00

    This has happened to me in real life. My (lost) phone had been added as a legacy OTP device to my institutional account (nhs.net) BEFORE enrolling with the imminent corporate mandate to register for Azure MFA. None of the admins can now either find or remove my old phone and I keep getting asked for codes from this lost legacy device despite being "re-enrolled" for MFA. They can temporarily suspend MFA on my account, and when I go into My Signins I find no trace of my old android phone. But the account keeps asking me for verification codes from it. I cannot register my new phone as an Authenticator app based MFA device. Only as a FIDO2 device which does not currently work well with Android apps I have. Buying a USB FIDO2 fingerprint dongle is a possible workaround which I am working up to....

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.