Organisations which manage identities and user authentication with Office365 account use single sign on for web-, desktop- and mobile apps. The user experience usually consists of a web-based login form and a second-factor notification on the Microsoft authenticator app or an SMS sent to the phone.
The authenticator app can manage multiple accounts. Adding a new account usually involves scanning a QR code or entering a token.
Logging into the azure tenant (eg. portal.azure.com at the time of writing) is a two-step process: first the user is authenticated against the organisation’s AD and then against the tenant. Because of prior interaction with SSO, users usually are already logged in, so when they access the tenant they are prompted only for one authentication token. In a fresh browser session (eg. incognito mode), a user will be asked first to authenticate against the organisation AD and then again against the tenant.
That second step is often neglected after a phone reset – while login to all company applications (Outlook, MS teams, Office) works fine, logging into the Azure tenant will not work. This is especially hard to identify if it happens the first time, because the user credentials for login will often be the same as the organisation credentials (eg. in the case of AD synchronisation), so logins just fail and notifications never arrive.
The solution is simple – ask the tenant administrator to re-enroll your user.
Credits
My gratitude goes to Fotis Xomeritakis and Gregory Klonis for debugging this issue with me.
George's Techblog 