Introduction
Multi-Factor Authentication (MFA) is a crucial security measure in Microsoft Entra ID (formerly Azure AD) to protect against unauthorized access. However, users and administrators often encounter MFA lockout issues, preventing legitimate users from accessing their accounts. This can be due to device loss, incorrect configurations, or a lack of backup authentication methods.
In this blog, we will cover: ✅ Why MFA lockout happens
✅ How to reset MFA for users
✅ Bypass methods for emergency access
✅ Best practices to prevent future issues
🔍 Why Does MFA Lockout Happen?
MFA lockouts typically occur due to:
- Device Change – User loses access to their phone or resets their device
- Authenticator App Issues – User gets a new phone and doesn’t migrate the Authenticator app
- Phone Number Change – SMS authentication fails due to a new phone number
- Policy Restrictions – Conditional Access or legacy MFA settings prevent login
- MFA Throttling – Too many failed attempts lock out the user
🛠️ How to Reset MFA for a User
If a user is locked out, an Azure AD admin can reset their MFA settings. Here’s how:
🔹 Reset MFA via Microsoft Entra Admin Center
- Sign in to Microsoft Entra Admin Center as an administrator.
- Navigate to Users > All users
- Search for the affected user and select them
- Click Authentication methods > Require Re-register MFA
- Have the user sign in again and set up MFA from scratch
🔹 Reset MFA Using PowerShell
Admins can reset MFA via PowerShell with Microsoft Graph PowerShell.
1️⃣ Connect to Microsoft Graph
powershellCopyEditConnect-MgGraph -Scopes "User.ReadWrite.All"
2️⃣ Find the user needing an MFA reset
powershellCopyEditGet-MgUser -UserId [email protected] | Select-Object DisplayName,UserPrincipalName,Id
3️⃣ Reset MFA settings for the user
powershellCopyEditRevoke-MgUserAuthenticationMethod -UserId [email protected]
4️⃣ Confirm the user is cleared of previous MFA methods
powershellCopyEditGet-MgUserAuthenticationMethod -UserId [email protected]
The user will now be prompted to re-enroll in MFA at their next login.
🚨 Emergency MFA Bypass Methods
In cases where users are locked out and immediate access is required, temporary workarounds can help.
1️⃣ Use a Temporary Access Pass (TAP)
A Temporary Access Pass (TAP) allows a user to log in without MFA for a limited time.
Enable TAP:
- Go to Microsoft Entra Admin Center
- Navigate to Users > Authentication Methods
- Enable Temporary Access Pass policy
Issue a TAP for the user:
powershellCopyEditNew-MgUserAuthenticationTemporaryAccessPassMethod -UserId [email protected] -LifetimeInMinutes 30 -IsUsableOnce $true
The user can now sign in using the TAP and reset their MFA.
2️⃣ Add a Backup Authentication Method
If a user still has access to another sign-in method, add an additional MFA option.
Via Admin Portal:
- Go to Users in Entra Admin Center
- Select the user > Authentication methods
- Click Add method and enter an alternate phone number or security key
Via PowerShell:
powershellCopyEditNew-MgUserAuthenticationPhoneMethod -UserId [email protected] -PhoneNumber "+1234567890" -PhoneType Mobile -SmsSignInState Enabled
Now, the user can verify via SMS instead.
3️⃣ Disable MFA Temporarily
⚠ Warning: This is a security risk and should only be used as a last resort.
Disable MFA for a user via PowerShell
powershellCopyEditSet-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @()
OR disable MFA for an entire tenant (not recommended):
powershellCopyEditSet-MsolCompanySettings -PreventPerUserMFA $true
Re-enable MFA as soon as possible.
✅ Best Practices to Prevent MFA Lockouts
🔹 Enable Multiple Authentication Methods – Users should register both phone and Authenticator app.
🔹 Use Temporary Access Passes (TAP) – Helps in cases of device loss.
🔹 Educate Users on MFA Backup Codes – Encourage users to save backup codes.
🔹 Enable Admin Recovery Options – Allow trusted admins to reset MFA.
🔹 Monitor MFA Logs – Use Azure Sign-In Logs to track MFA failures:
powershellCopyEditGet-MgAuditLogSignIn -Filter "status/errorCode eq 500121"
📌 Conclusion
MFA is essential for securing accounts, but lockouts can frustrate users and disrupt productivity. By using TAP, PowerShell resets, and backup methods, admins can quickly restore access while keeping security intact.
🚀 What’s next? Consider automating MFA resets with Microsoft Graph API or setting up self-service MFA reset policies for users.
🔹 Have you experienced MFA lockout issues? What solutions worked best for you? Let’s discuss in the comments! 💬