- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe to Topic
- Printer Friendly Page
Enabled MFA and now locked out of everything.
Figured I'd make a post here since MS isn't answering the phone at present.
I just enabled MFA for my O365 account through Azure, and now I am locked out of everything. i cannot access any pages with my O365 credentials. I am getting the screen below.
Any thoughts or suggestions?
i have a similar issue. Enabled MFA on my global admin account for my partner center account and enrolled my Microsoft authenticator App. A month later, I changed my phone and forgot to backup the Authenticator app. Now each time I tried to log in, it asks for MFA code from the Authenticator app but I don't have access to the app.
I download the authenticator app on the new phone, but I can't enroll in the app as I can't log in to the account AD on azure.
Please help.. any advice on how to about this
@ebukoz : So you have only one global admin account in your tenant? You have only set up one authentication method?
Having at least two admin accounts, and each global admin having more then one autentication method or more then one app registered for MFA would be always strongely recommended.
See also https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access
This guidance is applicable also to CSP, with the only difference that in a CSP tenant you can not exclude any account for MFA completely.
If there is any other admin account, this admin can reset the MFA registration status
I know it is maybe to late for this guidance now, this is still one part of the answer though - and hopefully avoid other following this thread having the same problem.
The 2nd aspect is that you can now actually backup & recover accounts in the app - though I guess this also comes to late.
Another option could be to attempt sign in with this account to a Win10 device that has a TPM - and the device has Windows Hello for Business set up (for the global admin account) or is AzureAD (hybrid) joined (with the global admin account and MFA was enabled during registration). When using Edge browser/Edge Preview, or Chrome with the Microsoft Account AddIn, the device might work as second factor in this scenario.
Finally, if all above fails, you can open a support ticket using this form: https://aka.ms/AzurePortalHelp or via phone
Hi yesterday I implemented MFA and this appears to have worked when logging into the partner centre and to my OWA account I am able to authenticate through the Authenticator app which works well and correctly.
Trouble is since implementing this I can gain access to my mail through OWA, and through mobile phone and tablet, but not through Outlook on my PC. I have tried setting up new profile and it gets as far as asking for a password then goes into a loop asking for password time and time again. I know the password is correct as I can login to OWA using the same password.
A support ticket to Microsoft has led to being chased around the houses, hoping somebody on here might be able to advise or help. Many thanks.
Once you enable MFA, you need an app password in Outlook. It no longer takes your Office 365 password.
@eric_CM This is only true for Outlook versions older than 2013. For 2013 and newer this can happen when Modern authentication was disabled (either in Exchange Online in your tenant, in Outlook locally, or both).
- Set up Exchange Online for Modern Authentication:
- Set up Outlook:
- A common „hack“ some customers might have used is disabling Modern Auth. via registry, they should check the following registry keys:
- For Office 2016 and newer:
- HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL should show “1” not “0”
- For Office 2013:
- HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL should show “1” not “0”
- Reference: https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/enable-modern-authentication?view=o365-worldwide
- Another known issue: https://support.microsoft.com/en-us/help/3126599/outlook-prompts-for-password-when-modern-authentication-is-enabled
- Also I have heard that in some scenarios additional problems could be solved when deleting the stored credentials for Office in Windows Credential manager – but this should be a last resort after checking above config first:
- If none of the above works, the Exchange/Outlook support needs to take a look at this.
This is a cache issue with the Autodiscover service or your Exchange Online deployment don't have ADAL (Modern Auth) activated. Both of these requierements can take serveral hours. In the mean time you can use an app password to bypass the authentification for the autodiscover service or wait for tomorow to create a new Outlook profile.
hope it help.
You might want to dig into some PowerShell, the PartnerCenter cmdlet might let you in. I looked, and it seems that enabling and disabling Conditional Access isn't exposed in PowerShell yet but you might want to double-check my research, you might find a way to turn it off via PowerSHell so you can get in and use the GUI that every product and system should have on Microsoft products....
Here's an overview that might help you next time, including steps to take prior to enabling to ensure you can get in:
Hello, I have the same problem. Disable the "End user protection" is a solution...... But that is not a solution of course. Does anyone have a real solution for this problem? Thanks everyone.
Through the implementation of the End user protection policy, users in your tenant are protected against leaked credentials. This is done through Microsoft’s leaked credential service which finds publicly available username/password pairs. If they match one your users, we help secure that account immediately. Users identified as having a leaked credential are confirmed compromised. These users will be blocked from signing in until their password is reset. Our documentation has been updated to include details about how to prevent being locked out.
It is recommended prior to enabling any of the baseline policies that you configure self service password reset for all global admin accounts. If the credentials for an account are leaked, then you will need to follow the recover compromised account process.
If you locked the admin account out and so you can not disable the policy, you need to open a support ticket.
From this site: https://azure.microsoft.com/en-us/support/faq/
How do I submit a support request if I cannot log in to the portal?
If you are unable to log in to the Azure Portal, visit https://aka.ms/AzurePortalHelp for assistance.
The error in the screenshot looks more like a permission problem, but the support can give more details.