Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Take the survey
Reply
Anonymous
‎07-02-2019 11:14 AM
Not applicable
‎07-02-2019 11:14 AM

Enabled MFA and now locked out of everything.

Hello all,

 

Figured I'd make a post here since MS isn't answering the phone at present.

 

I just enabled MFA for my O365 account through Azure, and now I am locked out of everything. i cannot access any pages with my O365 credentials. I am getting the screen below.

 

2019-07-02 14_13_00-Sign in to Microsoft Azure.png

 

Any thoughts or suggestions?

 

Thanks

Labels:
2 Me too
0 Kudos
10 REPLIES 10
ebukoz
‎11-27-2019 04:40 PM
Visitor 1
‎11-27-2019 04:40 PM

i have a similar issue. Enabled MFA on my global admin account for my partner center account and enrolled my Microsoft authenticator App. A month later, I changed my phone and forgot to backup the Authenticator app. Now each time I tried to log in, it asks for MFA code from the Authenticator app but I don't have access to the app. 

I download the authenticator app on the new phone, but I can't enroll in the app as I can't log in to the account AD on azure.

 

Please help.. any advice on how to about this

0 Kudos
JanoschUlmer
Microsoft
‎11-28-2019 04:53 AM
Microsoft
In response to ebukoz
‎11-28-2019 04:53 AM

@ebukoz : So you have only one global admin account in your tenant? You have only set up one authentication method?

Having at least two admin accounts, and each global admin having more then one autentication method or more then one app registered for MFA would be always strongely recommended.

See also https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access

This guidance is applicable also to CSP, with the only difference that in a CSP tenant you can not exclude any account for MFA completely.

If there is any other admin account, this admin can reset the MFA registration status

 

I know it is maybe to late for this guidance now, this is still one part of the answer though - and hopefully avoid other following this thread having the same problem.

 

The 2nd aspect is that you can now actually backup & recover accounts in the app - though I guess this also comes to late.

 

Another option could be to attempt sign in with this account to a Win10 device that has a TPM - and the device has Windows Hello for Business set up (for the global admin account) or is AzureAD (hybrid) joined (with the global admin account and MFA was enabled during registration). When using Edge browser/Edge Preview, or Chrome with the Microsoft Account AddIn, the device might work as second factor in this scenario.

 

Finally, if all above fails, you can open a support ticket using this form: https://aka.ms/AzurePortalHelp or via phone 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
mpbwillis
‎07-02-2019 11:30 AM
Visitor 1
‎07-02-2019 11:30 AM

Hi yesterday I implemented MFA and this appears to have worked when logging into the partner centre and to my OWA account I am able to authenticate through the Authenticator app which works well and correctly.

 

Trouble is since implementing this I can gain access to my mail through OWA, and through mobile phone and tablet, but not through Outlook on my PC.  I have tried setting up new profile and it gets as far as asking for a password then goes into a loop asking for password time and time again. I know the password is correct as I can login to OWA using the same password.

 

A support ticket to Microsoft has led to being chased around the houses, hoping somebody on here might be able to advise or help. Many thanks.

eric_CM
‎02-12-2020 09:03 AM
Visitor 1
In response to mpbwillis
‎02-12-2020 09:03 AM

Once you enable MFA, you need an app password in Outlook. It no longer takes your Office 365 password.

0 Kudos
JanoschUlmer
Microsoft
‎02-13-2020 08:09 AM
Microsoft
In response to eric_CM
‎02-13-2020 08:09 AM

@eric_CM This is only true for Outlook versions older than 2013. For 2013 and newer this can happen when Modern authentication was disabled (either in Exchange Online in your tenant, in Outlook locally, or both).

 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
fmartel
Level 2 Contributor
‎07-02-2019 12:02 PM
Level 2 Contributor
In response to mpbwillis
‎07-02-2019 12:02 PM

Hello,

 

This is a cache issue with the Autodiscover service or your Exchange Online deployment don't have ADAL (Modern Auth) activated. Both of these requierements can take serveral hours. In the mean time you can use an app password to bypass the authentification for the autodiscover service or wait for tomorow to create a new Outlook profile.

 

hope it help.

0 Kudos
VNJoe
Level 6 Contributor
‎07-03-2019 08:57 AM
Level 6 Contributor
‎07-03-2019 08:57 AM

You might want to dig into some PowerShell, the PartnerCenter cmdlet might let you in.  I looked, and it seems that enabling and disabling Conditional Access isn't exposed in PowerShell yet but you might want to double-check my research, you might find a way to turn it off via PowerSHell so you can get in and use the GUI that every product and system should have on Microsoft products....

Here's an overview that might help you next time, including steps to take prior to enabling to ensure you can get in:

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

 

 

0 Kudos
Dimme
‎07-03-2019 07:55 AM
Visitor 1
‎07-03-2019 07:55 AM

Hello, I have the same problem. Disable the "End user protection" is a solution.Smiley Sad..... But that is not a solution of course. Does anyone have a real solution for this problem? Thanks everyone.

0 Kudos
idwilliams
Moderator
‎07-04-2019 08:04 AM
Moderator
In response to Dimme
‎07-04-2019 08:04 AM

Through the implementation of the End user protection policy, users in your tenant are protected against leaked credentials. This is done through Microsoft’s leaked credential service which finds publicly available username/password pairs. If they match one your users, we help secure that account immediately. Users identified as having a leaked credential are confirmed compromised. These users will be blocked from signing in until their password is reset. Our documentation has been updated to include details about how to prevent being locked out. 

 

It is recommended prior to enabling any of the baseline policies that you configure self service password reset for all global admin accounts. If the credentials for an account are leaked, then you will need to follow the recover compromised account process.

JanoschUlmer
Microsoft
‎07-03-2019 09:05 AM
Microsoft
In response to Dimme
‎07-03-2019 09:05 AM

If you locked the admin account out and so you can not disable the policy, you need to open a support ticket.

From this site: https://azure.microsoft.com/en-us/support/faq/ 

 

How do I submit a support request if I cannot log in to the portal?

If you are unable to log in to the Azure Portal, visit https://aka.ms/AzurePortalHelp for assistance.

 

 

The error in the screenshot looks more like a permission problem, but the support can give more details.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
Follow Us
    Share