What do you do if your phone crashes or dies whilst you have Office 365 setup to use Multi-Factor Authentication (MFA) on your account?
The answer is hope that you’ve either:
Got another account with admin privileges from which you can reset the MFA options from within Microsoft Azure AD.
Got an alternative second factor option configured – e.g. a recovery mobile number or email address.
Or that you backed up your Authenticator App using a Microsoft personal account and thus can recovery it.
This happened to us a few days ago.
Reset MFA for a user from Azure AD
To find the “button” in order to press it isn’t straight forward as its well hidden inside Azure AD. Firstly login to Azure and Azure AD:
Once in Azure AD select the “Users” button on the left navigation:
Don’t be fooled by the link at the top right for “Multi-Factor Authentication” this takes you to a list of users and their current MFA configuration – whether Multi-Factor is disabled, enabled or enforced – and allows you to make changes to these settings.
Rather select the user you want to reset MFA for – select them rather than tick the box to the left of them. This takes you in the configuration pane for that particular user.
Now select “Authentication methods” in the left navigation:
This page allows you to both reset the users password and to “Require re-register MFA” – once this is clicked you can attempt to log into https://portal.office.com again and after the user has entered their username and password they will be prompted to setup MFA again and can use the Microsoft Authenticator app to do this.
A Second second factor
The Office 365 registration process allows the user to setup a recovery mobile number and email address to prevent this situation from happening again. I’d recommend users do this to avoid being locked out.
Authentication App backup
Its also possible to set the Microsoft Authenticator App to back itself up to a Microsoft Personal Account – I can’t take a screenshot of this however as the security policy I have configured prevents me doing it – you select the three dots in the top right of the app and select “Turn on backup” at which point you are asked to provide a suitable account.
Why use an authenticator app at all?
This might be obvious to some readers but perhaps not to all – but relying purely on a username and password to provide security is risky. Typically usernames are email addresses and thus in the public domain, whilst passwords can be “brute-force attacked” – when someone makes thousands of logon attempts using different passwords in the hope of guessing the correct one – from anywhere. There are some defenses against brute-force attacks such as restricting the number of failed logon attempts from a particular IP address in a period of time i.e. 5 attempts permitted in 5 minutes. A better approach however is to add a second factor to the login process – something else that the user has to provide – this is where authenticator apps come into their own by providing this second factor.
I’d strongly advise all my customers, clients and partners to use 2FA or MFA in the form of a authenticator app wherever possible in order to ensure their accounts remain theirs.