![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 85%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because the user is marked as risky and actions on the account are failing, handle this in two parts: fix the risky-user state and then reset MFA.
- Verify admin role and location
- Ensure the admin performing the action has at least Authentication Administrator or Authentication Policy Administrator role.
- Use the Microsoft Entra admin center (https://entra.microsoft.com), not the user self-service pages, to manage the user.
- Try the supported MFA reset path
- In Entra admin center, go to Entra ID → Users → select the affected user → Authentication methods.
- From the top bar, try:
- Require re-register multifactor authentication (or Require re-register MFA), then OK.
- If available, also try Reset password and Revoke sessions to clear stale tokens.
- After this, the next sign-in should interrupt the user and force a fresh MFA registration.
- If re-register/revoke still error out
- Because the user is a risky user, ensure that Conditional Access or Identity Protection policies are not blocking remediation. With Microsoft Entra ID Protection, users must be able to self-remediate via MFA and SSPR; if policies are misconfigured, admin actions and user registration flows can fail.
- Confirm the user can reach the combined registration page and Security info page:
- Registration/interrupt mode is driven by MFA/SSPR policies. If methods are missing or not available, check that the methods (Microsoft Authenticator, phone, etc.) are enabled in the Authentication methods and SSPR policies and that the user has not hit the maximum number of methods (for Authenticator, max 5 per user).
- Clear existing Authenticator registrations if possible
- Ask the user to sign in (if they still can) to https://aka.ms/mysecurityinfo and remove old Microsoft Authenticator entries or other sign-in methods, then add the Authenticator app again.
- If the user has already reached the maximum number of Authenticator registrations or device tokens, deleting some methods from Security info will free up slots so a new device can be registered.
- If the user (or you) is completely blocked
- If there is another global administrator, have that admin perform the Require re-register multifactor authentication operation on this user.
- If the affected user is the only global admin and no admin can perform the reset due to MFA lockout or errors, this becomes a tenant-recovery scenario. In that case, contact Microsoft Support and request escalation to the Data Protection / Tenant Recovery team to reset MFA registration for the account.
- After remediation
- Once MFA is reset and the risky state is addressed, have the user:
- Re-register Microsoft Authenticator during the sign-in interrupt.
- Optionally add a backup method (phone/SMS) in Security info so future device loss does not fully block access.
References:
- Manage user authentication methods for Microsoft Entra multifactor authentication
- Can't set up MFA because five devices are already registered to use an authenticator app
- Troubleshooting combined security information registration
- Self-remediation experience with Microsoft Entra ID Protection and Conditional Access
- Combined security information registration for Microsoft Entra overview
- Global Admin Locked out - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- I need to reset my mfa methods - Microsoft Q&A
- Microsoft Authenticator app doesn't show 6-digit OTP code - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A