Can’t log into Azure tenant after resetting Microsoft authenticator

Organisations which manage identities and user authentication with Office365 account use single sign on for web-, desktop- and mobile apps. The user experience usually consists of a web-based login form and a second-factor notification on the Microsoft authenticator app or an SMS sent to the phone.

Microsoft login screen

The authenticator app can manage multiple accounts. Adding a new account usually involves scanning a QR code or entering a token.

Microsoft authenticator app

Logging into the azure tenant (eg. at the time of writing) is a two-step process: first the user is authenticated against the organisation’s AD and then against the tenant. Because of prior interaction with SSO, users usually are already logged in, so when they access the tenant they are prompted only for one authentication token. In a fresh browser session (eg. incognito mode), a user will be asked first to authenticate against the organisation AD and then again against the tenant.

That second step is often neglected after a phone reset – while login to all company applications (Outlook, MS teams, Office) works fine, logging into the Azure tenant will not work. This is especially hard to identify if it happens the first time, because the user credentials for login will often be the same as the organisation credentials (eg. in the case of AD synchronisation), so logins just fail and notifications never arrive.

The solution is simple – ask the tenant administrator to re-enroll your user.


My gratitude goes to Fotis Xomeritakis and Gregory Klonis for debugging this issue with me.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.