How does a Guest User reset their MS Authenticator MFA settings in Azure Active Directory?

H

5

18

I know how to reset my Authenticator app MFA settings in my host tenant. I woud use this link https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 per instructions found here https://learn.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-manage-settings, and I would click on "Set up Authenticator app" button.

But how do I reset my MFA in a tenant where I am a Guest?

Howey answered 24/7, 2020 at 18:4 Comment(1)

please see: uclabs.blog/2018/03/mfa-with-guest-access-and-different.html – Northnorthwest 27/7, 2020 at 6:41

C

6

If you have only one MFA method set, and this method is lost to you, then as far as i know, you cannot join the guest organizations that you need to reset the MFA for. This means you cannot reset your authenticator app by going to your profile as is suggested in the other answer.

If you have set multiple methods for MFA (like authenticator AND phonenumber) then you may be able to log in using the 'Sign in another way' option. With this extra MFA option you can reset the MFA options that are lost to you, through 'https://myaccount.microsoft.com/'

When you are completely locked out of the tenants you are guest in, because you lost access to all your configured MFA options, what needs to be done is this:

Contact a global administrator of the organization you are guest in
Let her/him/them go to you user account (Azure Active Directory>Users)
Then she/he/they needs to select 'Profile > Authentication Methods'
And click 'Require re-register MFA'
After that you are asked to set-up MFA again for that organization when logging in.

Step 2:

Step4:

Canaveral answered 1/12, 2020 at 10:8 Comment(6)

If this answer is correct, that you cannot do it. Then Microsoft needs to fix this. Why would a user not be able to reset their own MFA in any tenant? – Howey 9/12, 2020 at 23:18

You say "If this answer is correct". I did try the other solutions and they certainly did not work for me, or other guest users in our tenants. Because I am also a global admin for tenants with guest users, I am sure the second part of my answer is correct. There is no need to delete the users. – Canaveral 11/12, 2020 at 19:36

In addition: I think it is good practice to always add a second MFA method. That way you can log in to the organizations in myaccount.microsoft.com by choosing 'Sign in another way'. I managed to sign in with an sms code and then I was able to reset the authenticator app MFA in the tenant i was guest in. – Canaveral 11/12, 2020 at 20:29

edited my answer to account for other MFA methods besides the authenticator method. – Canaveral 11/12, 2020 at 20:38

Adding another MFA option is a great tip! I have always thought it was a hassle, but it is more of a hassle to be dependent on an admin to fix/reset your MFA. – Howey 13/12, 2020 at 21:56

What worked for me, was to click on the per-user MFA link and then clicking on enable MFA for the user. This creates a pop up with a link which allows you to set up your MFA methods. – Rasorial 23/6, 2021 at 8:7

E

39

Provided you still have access to the original MFA device, or originally configured to also allow SMS MFA login, these instructions worked for me. This is based on what @Carl linked to above (http://www.uclabs.blog/2018/03/mfa-with-guest-access-and-different.html), but expanded out a bit as I struggled to follow it as written.

BTW I recommend doing all this in a private/incognito window, to be sure you know what you are logged in as.

Login to https://myapplications.microsoft.com/ using your 'normal' tenancy credentials.
Select the profile badge for you (circle, top right), and select 'Switch organisation' to log into the guest tenancy you want to reconfigure. At this point if you don't have access to the current MFA authenticator device you will need to use 'login another way' to use SMS MFA for this login.
Now, in the guest tenancy, select your badge again, and select 'My Profile'. If you don't see 'My Profile', use the ellipsis (...) and select to leave the 'new experience'. When the page reloads, now you should find the 'My Profile' link under your badge.
On the profile page, right hand side, you should see 'Additional Security Verification'. This should get you to this page in the guest tenancy: https://account.activedirectory.windowsazure.com/Proofup.aspx
From there you should see options to (re)setup your Authenticator app (scan the QR code etc...). Don't forget to delete the registration for your old phone too.

Euphemiah answered 11/1, 2021 at 4:8 Comment(5)

Right on money! Thanks! – Philippines 24/8, 2021 at 6:26

Hi @piers7, you saved my day! Microsoft did a really poor job to hide this option so well behind the "leave the 'new experience'" button. Thank you so much! – Nunnery 5/11, 2021 at 13:19

OMG! THANK YOU SO MUCH! I never even found this "control panel" because Microsoft hides this so well for guest accounts added to Microsoft accounts without an organization! – Jordonjorey 11/12, 2021 at 23:36

Thank you so much! I believe that recently they allowed to switch between organizations directly on myaccount.microsoft.com so now it should be easier. Just select your profile picture and from there click on Switch organization. However, I've struggled to find this option until I stumbled on your answer. – Jussive 9/2, 2022 at 8:37

Some of these instruction (such as 'My Profile' and "Additional Security Verification') may be outdated but guessing an equivalent this finally worked!! I spend hours on this. I am a member and a guest at two different AAD's, but also have admin access with another account. What I don't understand is that I found three (!) different sets of MFA authentication methods. Some only support phone and app, others also mail. Following the instructions here finally brought me to the set that only had the outdated app and I could add the phone method and make it default. At last, back in devops. – Matrimony 21/7, 2023 at 8:2

C

6

If you have only one MFA method set, and this method is lost to you, then as far as i know, you cannot join the guest organizations that you need to reset the MFA for. This means you cannot reset your authenticator app by going to your profile as is suggested in the other answer.

If you have set multiple methods for MFA (like authenticator AND phonenumber) then you may be able to log in using the 'Sign in another way' option. With this extra MFA option you can reset the MFA options that are lost to you, through 'https://myaccount.microsoft.com/'

When you are completely locked out of the tenants you are guest in, because you lost access to all your configured MFA options, what needs to be done is this:

Contact a global administrator of the organization you are guest in
Let her/him/them go to you user account (Azure Active Directory>Users)
Then she/he/they needs to select 'Profile > Authentication Methods'
And click 'Require re-register MFA'
After that you are asked to set-up MFA again for that organization when logging in.

Step 2:

Step4:

Canaveral answered 1/12, 2020 at 10:8 Comment(6)

If this answer is correct, that you cannot do it. Then Microsoft needs to fix this. Why would a user not be able to reset their own MFA in any tenant? – Howey 9/12, 2020 at 23:18

You say "If this answer is correct". I did try the other solutions and they certainly did not work for me, or other guest users in our tenants. Because I am also a global admin for tenants with guest users, I am sure the second part of my answer is correct. There is no need to delete the users. – Canaveral 11/12, 2020 at 19:36

In addition: I think it is good practice to always add a second MFA method. That way you can log in to the organizations in myaccount.microsoft.com by choosing 'Sign in another way'. I managed to sign in with an sms code and then I was able to reset the authenticator app MFA in the tenant i was guest in. – Canaveral 11/12, 2020 at 20:29

edited my answer to account for other MFA methods besides the authenticator method. – Canaveral 11/12, 2020 at 20:38

Adding another MFA option is a great tip! I have always thought it was a hassle, but it is more of a hassle to be dependent on an admin to fix/reset your MFA. – Howey 13/12, 2020 at 21:56

What worked for me, was to click on the per-user MFA link and then clicking on enable MFA for the user. This creates a pop up with a link which allows you to set up your MFA methods. – Rasorial 23/6, 2021 at 8:7

N

0

For your question, you can use the following two methods:

You can change common to host tenant id in the address bar when using https://myapps.microsoft.com to log in request, and then log in with your guest tenant.

If you are already logged in, you can directly switch to the guest tenant who needs to configure MFA. You can check this link for details.

Northnorthwest answered 27/7, 2020 at 9:20 Comment(2)

Can you clarify step 1? – Howey 31/7, 2020 at 13:45

This is not working at all. Before i can change any settings in the tenant in which i am a guest i need to log in with my MFA in that organization. And hahaha, the MFA is not working due to phone reset – Canaveral 1/12, 2020 at 9:39

H

0

For the issue we were trying to resolve, we had to have the user Leave the Organization and re-add them. However, I think this is the last resort, and not the accepted answer.

Howey answered 31/7, 2020 at 13:48 Comment(0)

G

0

It would seem, that some things have changed and either the URL-s given in the answers (not just in this question, but in many others and in found articles) don't work, or redirect to different addresses. Depending on what you are allowed to in the AAD you try to tweak your MFA in, you may actually not have access to those intermediate addresses and getting blocked, but it may turn out, that the actual MFA setup page is available to you and you only need to know its address.

The address I found to be currently leading to where you should be is:
https://mysignins.microsoft.com/security-info?tenant=00000000-0000-0000-0000-000000000000
where instead of 00000000-0000-0000-0000-000000000000 you should put the ID of the directory you want to set up MFA for.

If you have lost access to your already set up MFA methods, then the AAD admin will have to step in, e.g. as in the accepted answer from Datautomate.

Gert answered 10/5, 2021 at 21:3 Comment(2)

What URL's are you talking about? 'myaccount.microsoft.com' still works. – Canaveral 23/9, 2021 at 9:19

I had no need to do this now, but if I recall correctly from when I had the issue, the myaccount.microsoft.com did not work for my case, as it requires you to authenticate to the main account first. Which is not something I could at the moment (I had issues with the host directory MFA). The link I've given (which is what myaccount actually leads to in the end), allowed me to point to the directory I'm a guest in, which did not require main account full authentication (e.g. MFA). The second method from your answer does work (that's why I refer to it), but it requires an admin assistance. – Gert 24/9, 2021 at 12:22

Recommended topics

Hot tags