We're facing a challenge with users who have to use Microsoft Authenticator for multi-factor authentication (MFA). When they switch to a new phone, they often get stuck in a loop trying to complete the MFA process. I'm thinking the problem might be that their old phone is still registered in the system, causing the authentication prompts to go there instead. Is that a correct assumption?
3 Answers
It’s a common issue! Microsoft’s approach seems flawed since they expect users to have access to their old devices when setting up new ones. We often advise users to use the Azure Portal to re-register and utilize a TAP to help them enroll their new device instead. It can get tricky, though.
Another option is to remind users to visit mysignins.microsoft.com, select the devices tab, and add a backup authentication method, like a phone number for text messages. That way, when they get a new phone, they can still use the text message option for authentication. Once they're logged in, they can add the new phone and remove the old one from the device list.
Not to mention that text message MFA is often disabled by security-conscious organizations, so it may not be a viable option.
Yes, you're right! The MFA is tied to the device, so if someone loses access to their old phone, they can get locked out just like losing house keys. IT can help by removing the old authenticator and providing a Temporary Access Pass (TAP) for the user to set up their new phone.
But let's be real, even our devs struggle with transferring their MFA to new phones sometimes!