Reset Two-Factor Authentication on Microsoft 365 Admin
Why This Is Happening
I've seen this exact situation more times than I can count , you're trying to get into the Microsoft 365 Admin Center, you enter your credentials, and then the portal just sits there demanding a second-factor verification that you simply can't complete. Maybe your phone was wiped, stolen, or replaced. Maybe you switched authenticator apps. Maybe you set up MFA a year ago on a device that no longer exists. Whatever the reason, you're locked out of your own admin account, and Microsoft's error message gives you approximately zero useful guidance.
The message you're seeing , typically something like "We need more information to keep your account secure" or "Approve sign-in request" on an infinite loop, is Microsoft's Multi-Factor Authentication (MFA) system doing exactly what it was designed to do. It's blocking access because it can't verify your identity through the registered second factor. That's cold comfort when you're the global administrator and you need to get in right now.
Here's the core technical issue: Microsoft Entra ID (formerly Azure Active Directory) ties your MFA registration to specific authenticator methods. When you enrolled, you registered one or more of the following: the Microsoft Authenticator app on a specific device, a phone number for SMS OTP codes, a hardware FIDO2 key, or a TOTP app like Google Authenticator. If the device or number tied to those registrations is unavailable, the authentication chain breaks completely.
There are a few distinct scenarios that cause this lockout:
- Lost or replaced phone, your Microsoft Authenticator push notifications go to a device you no longer have
- Phone number change, SMS one-time codes are sent to an old number
- Corrupted Authenticator app data, the app is present but the account registration is gone
- Conditional Access policy blocking legacy auth, your organization's policies are rejecting the sign-in before MFA even triggers correctly
- Tenant-wide MFA enforcement with no bypass registered, someone enabled Security Defaults or a Conditional Access policy and the admin has no fallback method
The frustrating part is that standard user password resets won't help here. This is purely an authentication method problem. And because you're locked out of the Admin Center itself, many of the normal self-service options are unavailable. You'll need a specific recovery path, and that's exactly what this guide covers.
If you're dealing with other Microsoft identity and access issues too, browse all Microsoft fix guides →
The Quick Fix, Try This First
Before going deep into recovery steps, try the fastest route first: Microsoft's self-service MFA reset portal. This works if your admin account had a secondary verification method registered at any point, even just an email address or a backup phone number you may have forgotten about.
Open a private/incognito browser window and navigate to https://aka.ms/mfasetup. Sign in with your admin credentials. If Microsoft detects that you have alternate verification methods on file, it will walk you through verifying with those instead of your primary MFA method. This bypasses the stuck authentication request entirely.
If that URL prompts the same looping MFA challenge, try the account recovery portal instead at https://account.live.com/acsr, though note this is primarily for personal Microsoft accounts, not work/school accounts tied to a Microsoft 365 tenant.
For organizational Microsoft 365 accounts (the kind that signs into admin.microsoft.com), the self-service path depends on what your tenant has configured. Try this URL directly:
https://mysignins.microsoft.com/security-infoWhen prompted for MFA, look for the link that says "I can't use my Microsoft Authenticator app right now" or "Use a different verification option". These appear as small text links below the main MFA prompt, easy to miss, but critically important. Clicking them shows every fallback method registered on your account.
If you see SMS listed there and your phone number is still valid, choose that. The code arrives within 60 seconds. Once you're in via the fallback, immediately go to Security Info and update your primary authenticator to your current device, don't close the session before you do this.
This is the most underrated step and the one that resolves the situation fastest when it applies. Microsoft's own best-practice guidance, which most organizations ignore until a day like today, recommends maintaining at least two Global Administrator accounts, with the second one specifically being a "break-glass" emergency account that has MFA either disabled or configured with a completely different authentication method.
If your organization has another Global Admin account (check with colleagues in IT), have them log into the Microsoft 365 Admin Center at admin.microsoft.com and navigate to:
Users > Active Users > [your locked account] > Manage multifactor authenticationOn the legacy MFA management page that opens (it opens in a separate pop-up window, so disable any pop-up blocker), find your account in the list, select it, and click "Manage user settings" on the right panel. Then check the box for "Require selected users to provide contact methods again" and hit Save.
This clears your existing MFA registrations entirely. The next time you sign in, Microsoft will take you through the MFA enrollment wizard from scratch, you register your current device and you're back in business. The entire process takes about four minutes if you have a second admin available.
Alternatively, the second admin can navigate to Entra Admin Center > Users > All Users > [your account] > Authentication Methods and manually delete each registered authentication method from that screen. The result is identical, your account reverts to "MFA not yet configured" state.
If this works, you'll see a fresh MFA setup prompt at your next login instead of the authentication request loop.
If you do have access through a second admin account, this is the cleaner and more modern way to reset two-factor authentication in Microsoft 365 compared to the legacy MFA portal. The Entra Admin Center gives you granular control over exactly which methods are registered.
Sign into entra.microsoft.com with the second admin account. In the left navigation, go to:
Identity > Users > All UsersSearch for the locked admin account by name or UPN (user principal name, the email address format). Click the account to open the user detail blade. In the left menu within that blade, click "Authentication methods".
You'll see a list of every method registered: phone numbers, email addresses, authenticator app entries (each showing the device name like "iPhone" or "Pixel 8"), FIDO2 keys, and Temporary Access Passes. You can delete specific methods individually by selecting them and clicking the delete icon, or you can click "Revoke MFA sessions" at the top of the blade to force a fresh authentication challenge.
For a full reset that re-triggers enrollment, delete all listed authentication methods. The user will then hit the "More information required" setup flow on their next sign-in. This is the recommended path for most scenarios.
There's also a useful option here called "Require re-register MFA", it appears as a button at the top of the authentication methods page. This doesn't delete the registrations but forces Microsoft to prompt for fresh enrollment on next login, even if valid methods exist. Useful if you suspect the authenticator data is corrupted rather than missing.
After making changes, the admin account you're recovering will need to sign out of all active sessions. You can force this from the same user blade by going to Sessions and clicking "Revoke sessions".
This is a feature that most Microsoft 365 admins don't know exists, and it's genuinely one of the best tools in the recovery toolkit. A Temporary Access Pass (TAP) is a time-limited passcode generated by an admin that lets a user sign in without MFA, specifically to recover their account or set up new authentication methods. It was introduced in Azure AD in 2021 and is now available in all Microsoft 365 business and enterprise tenants.
A second admin generates a TAP from the Entra Admin Center. Navigate to:
Identity > Users > All Users > [locked account] > Authentication methodsClick "+ Add authentication method", then select "Temporary Access Pass" from the dropdown. Configure it:
- Start time: Now (or a few minutes from now)
- Lifetime: 1 hour is usually enough, keep it short for security
- One-time use: Check this box so the pass expires immediately after use
Click Add. The portal generates a numeric pass, something like 47392851. Copy it and give it to the affected admin securely (not via regular email if possible, use a phone call or secure messaging).
The locked admin then goes to aka.ms/mysecurityinfo or admin.microsoft.com and signs in. When the MFA prompt appears, they enter the Temporary Access Pass in the password field instead of their normal password. Microsoft accepts it, skips the MFA challenge, and drops them directly into Security Info to register fresh authentication methods.
Once inside, they register Microsoft Authenticator on their current phone, verify it works, then log out and back in normally. TAP is automatically invalidated after use if you selected one-time use.
If TAP generation option doesn't appear in the dropdown, it means your tenant hasn't enabled the Temporary Access Pass policy. A second admin can enable it at Entra > Protection > Authentication methods > Temporary Access Pass > Enable.
This step is for the scenario where you truly have no second admin available and you're completely locked out. It requires you to have previously set up app-only access via a service principal, or, more practically, that you can authenticate to PowerShell using a certificate or client secret rather than interactive user credentials. It's more technical, but it works.
If you have the Microsoft Graph PowerShell SDK installed and a service principal with User.ReadWrite.All permissions, run this to reset MFA methods:
# Install if needed:
Install-Module Microsoft.Graph -Scope CurrentUser
# Connect using certificate or client credentials (not interactive):
Connect-MgGraph -ClientId "your-app-id" -TenantId "your-tenant-id" -CertificateThumbprint "your-cert-thumbprint"
# Get the user's object ID:
$user = Get-MgUser -Filter "userPrincipalName eq 'admin@yourdomain.com'"
# List registered authentication methods:
Get-MgUserAuthenticationMethod -UserId $user.Id
# Delete a specific method (replace method ID from above output):
Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $user.Id -MicrosoftAuthenticatorAuthenticationMethodId "method-id-here"
# Or delete phone authentication:
Remove-MgUserAuthenticationPhoneMethod -UserId $user.Id -PhoneAuthenticationMethodId "method-id-here"After deleting all authentication methods, the account is effectively in an unenrolled MFA state. The next sign-in from that account triggers the fresh setup wizard.
If you don't have a service principal set up, and this is a brand-new lockout with no alternative access, you'll need to contact Microsoft Support with your tenant ID and proof of admin ownership, covered in the Advanced section below. Don't try to work around this with brute-force approaches; Microsoft's lockout detection will flag the account for suspicious activity and complicate recovery further.
One more PowerShell option worth knowing: the older MSOL module (though being retired) still works in some tenants for MFA management:
Import-Module MSOnline
Connect-MsolService
# Reset MFA to unenrolled state:
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "admin@yourdomain.com"This single command is the quickest MSOL path. If MSOL still connects in your tenant, this takes about 30 seconds total.
Once you've cleared the old MFA registrations using any of the previous steps, you need to properly set up two-factor authentication again, this time on your current device. Don't skip this step or rush it; a bad re-enrollment is what causes people to end up locked out again six months later.
Open a browser and navigate to:
https://aka.ms/mfasetupSign in with your admin credentials. You'll land on the Security Info page at mysignins.microsoft.com/security-info. Click "+ Add sign-in method".
Select "Authenticator app" from the dropdown. On your phone, download Microsoft Authenticator from the App Store or Google Play if you don't already have it installed. Open the app, tap the + icon in the top right, select "Work or school account", then tap "Scan a QR code".
Back on the browser, click Next until you see the QR code. Scan it with the Authenticator app. The app will add your Microsoft 365 account automatically. The browser then sends a test push notification, tap Approve on your phone when it arrives. If approved successfully, click Next on the browser to confirm enrollment.
After the authenticator app is registered, add a backup method. Click "+ Add sign-in method" again and add your phone number for SMS. This is the safety net that prevents the exact situation you're recovering from right now. Test it, click the SMS method, choose "Send code", verify you receive the text and can enter it successfully.
Also consider adding an alternate email address as a backup. Having three registered methods (authenticator app, SMS, email) means losing one device never locks you out again. Save your changes and sign out, then sign back in to confirm the full MFA flow works end-to-end before wrapping up.
Advanced Troubleshooting
Some lockout scenarios run deeper than simple MFA method resets. Here's what to do when the standard steps don't apply or when you're in a complex enterprise environment.
Security Defaults vs. Conditional Access MFA
There are two separate systems that can enforce MFA in Microsoft 365, and they behave differently during lockouts. Security Defaults is the tenant-wide toggle found at Entra > Overview > Properties > Manage Security Defaults. When enabled, it forces MFA for all users including admins with no exceptions. If you need temporary MFA bypass while recovering an account, a second admin can temporarily disable Security Defaults, but be aware this opens your entire tenant briefly, so do it in a short window and re-enable immediately.
Conditional Access policies are the enterprise alternative. Navigate to Entra > Protection > Conditional Access > Policies. Look for any policy that targets your admin account's user group and requires MFA. You can exclude your specific account temporarily by editing the policy's exclusion list (under Users > Exclude > Users and groups). Add your UPN as an exclusion, save, and attempt sign-in. Remove the exclusion after successful recovery and re-enrollment.
Reading Event Logs for Lockout Root Cause
If you have another machine with a currently valid admin session, pull sign-in logs from Entra to understand exactly why the authentication is failing. Go to Entra > Monitoring & health > Sign-in logs, filter by your UPN and the last 24 hours, and look for entries with status Failure. Expand each failed entry and check the Authentication Details tab.
Key error codes to look for:
- 50074, Strong authentication required but the user's MFA registration is incomplete
- 50076, MFA is required due to a Conditional Access policy
- 53004, User failed to complete proofup (MFA enrollment) as required
- 50072, User needs to register an authentication phone number
- 500121, Authentication failed during strong authentication request, this is the specific code for "authentication request not received" scenarios
These codes tell you exactly which part of the chain is broken and which recovery method applies.
Domain-Joined and Hybrid Azure AD Scenarios
If your organization uses on-premises Active Directory synced to Entra via Azure AD Connect, MFA resets done in the cloud might not persist correctly if there's a sync conflict. After resetting MFA methods in Entra, check the on-premises AD account in Active Directory Users and Computers, look at the user properties, and verify there's no "Smart card is required for interactive logon" flag set accidentally. Also check that the UPN matches between on-prem and cloud, a UPN mismatch causes authentication to route incorrectly.
If you have absolutely no second admin account, no service principal access, no TAP capability, and the self-service recovery portal fails, you're in a situation that requires Microsoft to intervene directly. Contact Microsoft Support and open a billing/account access case (not a technical support case, billing cases get prioritized differently for lockout scenarios). You'll need to provide your tenant ID (visible on the Entra Overview page if you can reach it from any session), your domain name, and proof of ownership such as a credit card associated with the subscription or MCA agreement number. Microsoft's Identity and Access team can perform a verified admin reset, but expect verification to take 24–48 business hours for security reasons.
Prevention & Best Practices
Getting locked out of your own admin account because of a reset two-factor authentication issue is entirely preventable. The configuration work takes about 20 minutes total, far less than the time you've already spent on this lockout. Here's what to put in place today, while you're thinking about it.
Emergency "break-glass" admin account: Create a dedicated Global Administrator account that is excluded from all MFA policies and Conditional Access rules. Name it something like breakglass@yourdomain.com. Assign it an extremely long random password (use a password manager to generate 40+ characters). Store the credentials in a physical safe or a privileged access workstation. Never use this account for day-to-day work, its only purpose is emergency recovery. Microsoft explicitly recommends this architecture in their zero-trust documentation.
Multiple MFA methods on every admin account: Every Global Admin should have at minimum three registered authentication methods: Microsoft Authenticator, SMS to a mobile number, and a backup email address. When you replace your phone, update the Authenticator registration before wiping the old device, not after.
Hardware security keys for critical admins: FIDO2 hardware keys like YubiKey 5 series are device-independent, they work regardless of what phone you have. One key registered per admin account eliminates phone-loss lockouts entirely. Keys can be purchased for under $50 and registered at mysignins.microsoft.com/security-info.
Regular access reviews: Set a calendar reminder every 90 days to verify that each Global Admin account can still authenticate successfully. Proactively testing this is the only way to discover problems before they become emergencies.
- Create a break-glass emergency admin account excluded from all MFA Conditional Access policies and store credentials offline in a safe
- Register at least three MFA methods per admin account, authenticator app, SMS backup, and alternate email
- Enable the Temporary Access Pass authentication policy in Entra so it's available before you need it, not after
- Set up monthly Microsoft Entra sign-in log alerts for failed admin authentications via Entra > Monitoring > Diagnostic settings so lockout attempts get flagged before they become complete lockouts
Frequently Asked Questions
I keep getting "approve sign-in request" but I don't have my phone anymore, what do I do?
This means Microsoft Authenticator push notifications are being sent to a device you no longer have. On the sign-in screen, look for a small link below the approval prompt that says "I can't use my Microsoft Authenticator app right now", click that to see alternative verification options like SMS or email. If no alternatives appear, you'll need a second admin to reset your authentication methods via the Entra Admin Center at entra.microsoft.com, or have them issue you a Temporary Access Pass. Once you're back in, immediately delete the old device from your registered authentication methods and add your current phone.
Can I reset two-factor authentication for myself if I'm the only admin in the tenant?
This is the hardest scenario, and it requires going through Microsoft directly. If you registered a backup phone number or email at any point during initial setup, try the self-service portal at aka.ms/mfasetup using a fallback method, those are your best shot at self-recovery. If that fails completely, contact Microsoft Support with your tenant ID and billing account proof of ownership. For future prevention, create a break-glass admin account immediately after recovery, no organization should run with a single admin account.
Why is the Microsoft 365 Admin Center showing the same authentication message in a loop?
The loop happens when the portal is waiting for a push notification approval that never comes, typically because the registered device is unavailable, and the page refreshes or retries without surfacing an alternative method. To break the loop, open a completely fresh private/incognito browser window, clear all cookies and site data, then go directly to portal.office.com rather than admin.microsoft.com. The standard sign-in flow at portal.office.com sometimes surfaces alternative MFA options that the Admin Center redirect path suppresses. Also check that your browser isn't caching a partial authentication token from a previous session.
Will resetting MFA delete any of my data or affect my Microsoft 365 account settings?
No, resetting MFA authentication methods only affects how you prove your identity during sign-in. It has absolutely no impact on your emails, files, SharePoint data, Teams conversations, user licenses, or any tenant configuration. The only thing that changes is that your registered verification methods (phone, authenticator app, etc.) are cleared, and you'll be prompted to re-register them on your next sign-in. All your admin permissions, role assignments, and account settings remain completely intact.
How do I reset two-factor authentication for another user in my organization, not just myself?
As a Global Administrator or Authentication Administrator, go to the Microsoft 365 Admin Center at admin.microsoft.com, navigate to Users > Active Users, click the target user, and select "Manage multifactor authentication" from the user detail panel. On the legacy MFA management page, select the user and choose "Manage user settings," then check "Require selected users to provide contact methods again." Alternatively, use the modern path at entra.microsoft.com under Identity > Users > [user] > Authentication methods, where you can delete specific registered methods or issue a Temporary Access Pass. The user will be prompted to re-enroll on their next sign-in.
My Microsoft Authenticator app shows the account but the codes don't work, is this a different problem?
Yes, this is a separate issue from a full lockout and is usually much simpler to fix. TOTP codes (the six-digit numbers that refresh every 30 seconds) fail most often because your phone's clock is slightly out of sync with Microsoft's servers, even a 30-second drift causes consistent failures. On Android, open the Authenticator app, go to Settings > Time correction for codes > Sync now. On iPhone, go to Settings > General > Date & Time and make sure "Set Automatically" is enabled. If clock sync doesn't fix it, delete the account entry from Authenticator and re-add it using a fresh QR code from your Security Info page at mysignins.microsoft.com/security-info.