T The Triage ManualTechnical Guides for IT Emergencies
P2 · Microsoft 365 & Collaboration

Entra ID MFA Failures — Lost Device Recovery, Repeated Prompt Loops, and Microsoft Authenticator Malfunctions

Multi-Factor Authentication failures in Microsoft Entra ID manifest as complete lockout after phone loss, persistent MFA re-prompting despite successful authentication, or Microsoft Authenticator push/TOTP failures. Root causes include device registration state mismatches, Conditional Access session policy misconfiguration, authentication token cache corruption, and time-sync drift on authenticator devices. Resolution requires identifying the failure subtype — lost device recovery uses admin-side MFA method reset with Temporary Access Pass, prompt loops require session revocation and Conditional Access policy adjustment, while Authenticator issues need device-level time sync verification and account re-registration.

Indicators

Likely causes

Diagnostic steps

  1. Review Entra ID Sign-in logs: Entra admin center > Identity > Monitoring & health > Sign-in logs. Filter by user UPN and incident time range. Examine Authentication details tab on failed events — note MFA method attempted, result (Success/Failure/MFA required), and failure reason code.
    Establishes whether failure is missing/invalid factor, policy block, session issue, or app problem — determines resolution path
  2. Check user's registered authentication methods: Entra admin center > Identity > Users > [user] > Authentication methods. Review registered methods (Authenticator, phone, FIDO2). If no methods listed, user has no valid second factor.
    Confirms lost-phone scenario leaving user with zero factors, or identifies alternative methods available for recovery
  3. For repeated prompt complaints: Review Conditional Access policies — Entra admin center > Identity > Protection > Conditional Access > Policies. Check each applicable policy's Session controls: 'Sign-in frequency' (short intervals cause frequent prompts), 'Persistent browser session' ('Never persistent' prevents session persistence). Also check per-user MFA 'Remember MFA on this device' setting.
    Identifies Conditional Access session control misconfiguration versus client-side token/cache issues
  4. For TOTP code rejections: Verify device time sync — iOS: Settings > General > Date & Time > Set Automatically (ON). Android: Settings > General Management > Date and Time > Automatic date and time (ON). In Authenticator app, tap account > three-dot menu > 'Refresh' or 'Sync time' if available.
    Identifies and remediates clock skew causing TOTP codes to fall outside server acceptance window
  5. For push notification failures: Verify app permissions — iOS: Settings > Notifications > Authenticator > Allow Notifications (ON). Android: Settings > Apps > Microsoft Authenticator > Notifications (ON). Confirm device not in Do Not Disturb. Ask user to open Authenticator and check for pending requests inside app.
    Distinguishes OS-level notification permission block or DND interference from infrastructure issues
  6. Check Entra ID MFA service health: Navigate to https://status.office.com or Microsoft 365 admin center > Health > Service health > Azure Active Directory / Microsoft Entra. Filter for active MFA incidents and cross-reference with failure timestamps.
    Rules out Microsoft-side service outage before per-user remediation
  7. Verify caller identity using the approved out-of-band verification process (callback to manager, employee ID + secondary factor) before performing any account changes
    Prevents helpdesk password/MFA reset being used as a social-engineering initial access vector
  8. Check AD account state: Get-ADUser -Identity <samAccountName> -Properties LockedOut,Enabled,PasswordExpired,PasswordLastSet,BadLogonCount,LastBadPasswordAttempt
    Determines whether the required action is unlock, reset, or re-enable
  9. Trace lockout source on PDC emulator: Get-WinEvent -ComputerName (Get-ADDomain).PDCEmulator -FilterHashtable @{LogName='Security';ID=4740} -MaxEvents 20 | Format-List TimeCreated,Message
    Locates offending device/service causing repeat lockouts so root cause (not just symptom) is remediated

Resolution path

Prevention

Tools

References

MFAmulti-factor-authenticationMicrosoft AuthenticatorEntra IDAzure ADlost phoneauthenticationConditional AccessTemporary Access PassTOTPpush notificationsession managementidentityMicrosoft 365account lockouthelpdeskSecurity DefaultsActive Directorypassword resetSSPRKerberosPDC emulatorsocial engineering