Skip to end of metadata
Go to start of metadata
Guide to common MFA administration issues

Before You Start

All actions on this page take place under the Azure Active Directory section of https://portal.azure.com

  • The accounts you use must be assigned the Authentication administrator and  Reports reader roles in Azure AD
  • Sign in to https://portal.azure.com click on Azure Active Directory (The first time you may need to click → More Services then select Azure AD)

See Sign-in activity

This can be useful when troubleshooting issues with a customer connecting and to verify what the customer is telling you is accurate

  1. On the left under Monitoring click Sign-ins
  2. Click Add Filters button select Username
  3. Click Username starts with field and enter the username of the customer you are searching for
  4. You can now see all recent sign-in activity for that customer.
  5. The Columns button can be useful to add or remove columns to get more context and make it easier to read.
  6. Clicking an individual entry brings up a wealth of information, of particular interest might be Failure reason.
  7. Authentication Details can tell you if MFA was required and what the results of that MFA request were.

See if a user has registered for MFA or SSPR

This allows you to see if a user is registered for MFA and SSPR and to see what methods they have registered.

  1. On the left under Monitoring click Usage & Insights
  2. Click on Authentication methods activity
  3. You now have several "reports" you can click on. For most things you can use the left most Users registered for Multi-Factor Authentication 
  4. enter the user you are looking for in the search by name or email box
  5. Mousing over Methods Registered will show additional items if more items are in the box than can be shown. Note that it cannot report if a user is required to use MFA because that is done via conditional access and, as the name suggests, MFA requirement are conditional.

See Details of a specific user

  1. Visit the Azure Active Directory home in the Azure Portal
  2. Search for a user in the find box on the right username or full name of the user work
  3. From the user information screen you can access all of that users signins, the groups they belong to (mfaoptin membership means they will be required to use MFA) and the Authentication Methods page
  4. Authentication Methods for a user has several options including Reset Password, Require re-register MFA, and Revoke MFA Sessions It also lists several (though not all methods) registered MFA methods.
  5. While it says you can change methods the user uses to do MFA changing anything in the text boxes doesn't do anything.

 Require re-register MFA

If a user can still access their account it is usually better to walk them through managing their MFA and SSPR methods by directing them to https://aka.ms/setupsecurityinfo

When should you do this?

  1. You have verified (by having the user click sign in another way) that they do have any of their available factors available.
  2. You have verified the user is who they say they are via in-person verification or over the phone procedures for password reset (G# and Birthdate)
  3. The person cannot access their account and does not have access to any of their registered MFA methods

This will remove all their registered MFA methods and at next sign in prompt them to re-register MFA

  1. Follow directions above for seeing details of a specific user.
  2. Navigate to the Authentication Methods page for the user and click Require re-register MFA

Revoke MFA Sessions

When should you do this?

  • You are aware that a persons account has been compromised
  • The customer believes their account has been compromised

This will just force the user to provide MFA on next sign-in from all their devices.

  1. Follow directions above for seeing details of a specific user.
  2. Navigate to the Authentication Methods page for the user and click Revoke MFA Sessions

Related articles


More Help

For questions, contact the CIT HelpDesk by calling (585) 245-5588, or visiting our online service desk.