Export (0) Print
Expand All

Troubleshooting Azure Multi-Factor Authentication

Published: May 20, 2013

Updated: December 3, 2014

This section covers possible additional security verification-related sign in problem scenarios and how to remedy them.

  • If you previously configured a backup phone, try again by selecting that phone when prompted from the sign in page.

  • If you don’t have another method configured, contact your admin and ask them to update the number assigned to your primary phone – mobile or office.

  • Currently, additional security verification can only be used with applications/services that you can access through your browser. Non-browser applications (also referred to as rich client applications) which are installed on your local computer such as Outlook, Lync, and Windows Powershell will not work with accounts that are required for additional security verification. In this case, you may see the application generate error 0x800434D4L.

  • A workaround for this is to have a separate user account for admin-related operations vs. non-admin operations. You can later link mailboxes between your admin account and non-admin account so you can sign-in to outlook using your non-admin account. For more details about this, see Give an Administrator the Ability to Open and View the Contents of a User's Mailbox.

  • Go to https://account.activedirectory.windowsazure.com/profile/ and sign in with your organizational account.

  • If needed, click Other verification options and select a different option for completing the account verification.

  • Click Additional Security Verification.

  • Remove the existing account from your mobile application.

  • Click Configure and follow the instructions to re-configure the mobile application.

  • Depending on which portal you are using, in the left pane, click either Users or Users and Groups.

  • Depending on which portal you are using, select the check box next to the user that you want to edit, and then click either Edit or the Edit icon.

  • Click Settings, under Assign role, select Yes, and add the user back to the previous admin role.

  • Go to the multi-factor authentication page. The account should now be showing up in the list on the page. Follow the steps above to disable multi-factor authentication for an account. At this point, you can now remove the account from the admin role.

  • You can reset the user by forcing them to go through the registration process again. To do this see Managing User Settings

  • You can delete all of the users app passwords and have them recreate them once they get a replacement device. To do this see Managing User Settings

  • Users enabled for multi-factor authentication will require app password to sign into non-browser apps such as Outlook, Mail Clients, Lync etc. Users will need to clear the sign-in info (delete sign-in info), restart the application and sign-in with the their username and app password. Please read this artWatch a video showing these steps at How to Set Up Multi-Factor for Your Account or follow the steps documented here.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft