cosmistack-logo

How To Reset MFA for an Entra ID User

By Jake Turner on 7/3/26

Description: A complete guide to resetting multifactor authentication (MFA) for an Entra ID (formerly Azure AD) user. Covers the the different approaches plus needed permissions and how to troubleshoot.

Background

It's a common scenario: one of your users gets a new phone, loses access to Microsoft Authenticator, or leaves the organization, and now their multifactor authentication needs a reset. In a clinic or veterinary practice, that's not a minor inconvenience. A front-desk staffer locked out of their account at 8 AM means patients waiting while someone scrambles for a fix.


Thankfully, resetting MFA is an easy fix. Microsoft's own documentation doesn't lay it out the clearest, so we've boiled it down for you here. This guide covers three ways to do it (the Entra admin center, the Azure portal, and PowerShell), explains exactly what each option does, and shows you how to troubleshoot when a reset doesn't seem to stick.


If you just want the fast answer, jump to Method 1. If you manage MFA regularly, the sections on permissions, PowerShell, and troubleshooting can save you time down the road.


What "Resetting MFA" Actually Does

Before you click anything, it helps to know what the two key buttons do, because they solve different problems:

  • Require re-register multifactor authentication. This clears the user's registered MFA methods and forces them to set MFA up again the next time they sign in. Use this when someone has a new phone, deleted the Authenticator app, or otherwise can't complete their existing MFA prompt.
  • Revoke multifactor authentication sessions. This signs the user out of active sessions and invalidates their refresh tokens, so every device has to re-authenticate. Use this when a device is lost or stolen, or any time you have a security concern and want to cut off existing access immediately.

In many real situations you'll want both: require re-registration so the old method is gone, and revoke sessions so a lost device can't keep using a still-valid token. We'll point out where to click each one.


Before You Begin: Permissions You'll Need

Make sure you have sufficient access to manage users and their authentication methods. Resetting MFA is a privileged action, so you'll need an appropriate directory role:

  • Authentication Administrator can reset MFA for non-administrator users. This is the least-privileged role that gets the job done for most everyday resets, and it's the one we recommend assigning to help-desk staff.
  • Privileged Authentication Administrator is required to reset MFA for other administrators (for example, a Global Administrator's account).
  • Global Administrator can do all of the above, but it's overkill for a routine reset. Follow least-privilege and assign the narrower role where you can.

Method 1: Using the Microsoft Entra Admin Center (Recommended)

The Entra admin center is Microsoft's current home for identity management, and it's what we'd recommend you use if this is a new process for you.

  1. Open the Microsoft Entra admin center
  2. In the left sidebar, navigate to Identity > Users > All users
  3. Find the user you need to reset MFA for and click on their name
  4. In the left sidebar, navigate to Manage > Authentication methods
  5. At the top of the page, click Require re-register multifactor authentication. If a device was lost or stolen, or you have any security concern, also click Revoke multifactor authentication sessions to cut off existing sessions that are still live.

That's it. The user will be prompted to re-enroll in MFA the next time they sign in.

Method 2: Using the Azure Portal

The Azure portal reaches the same settings and remains fully supported. If it's where your team already works, here's the steps:

  1. Open the Azure Portal
  2. Navigate to Microsoft Entra ID
  3. In the left sidebar, navigate to Manage > Users
  4. Find the user you need to reset MFA for and click on their name
  5. In the left sidebar, navigate to Manage > Authentication methods
  6. At the top of the page, click Require re-register multifactor authentication. As with the Entra admin center, click Revoke multifactor authentication sessions as well if a device was stolen or you otherwise have security concerns.

Both methods do the same thing under the hood, so use whichever portal your team is more comfortable in. Going forward, we recommend the Entra admin center, since Microsoft is steadily consolidating identity management there.

Method 3: Using PowerShell (For Bulk or Repeat Resets)

If you're resetting MFA for one user once in a while, the portal is quickest. But if you manage many tenants or need to reset several users at once, the Microsoft Graph PowerShell SDK is far faster and scriptable.

First, connect with the right scopes:

1Install-Module Microsoft.Graph -Scope CurrentUser   # first time only
2Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"

To force a user to re-register, remove their existing authentication methods. For example, to remove a registered Microsoft Authenticator method:

1$userId = "[email protected]"
2
3
4# List the user's Microsoft Authenticator registrations
5Get-MgUserAuthenticationMicrosoftAuthenticatorMethod -UserId $userId
6
7
8# Remove a specific registration by its ID
9Remove-MgUserAuthenticationMicrosoftAuthenticatorMethod `
10  -UserId $userId `
11  -MicrosoftAuthenticatorAuthenticationMethodId "<method-id>"


Phone (SMS/call) methods work the same way with Get-MgUserAuthenticationPhoneMethod and Remove-MgUserAuthenticationPhoneMethod.

To revoke active sessions (the scripted equivalent of the "Revoke multifactor authentication sessions" button):

1Revoke-MgUserSignInSession -UserId $userId

Once a user's methods are removed, they'll be prompted to set MFA up again at their next sign-in, exactly as if you'd used the portal.

Tip: If handling Graph permissions and identity tooling across every clinic account is eating your week, that's precisely the kind of work our Managed IT team handles day in and day out. We manage the tenant so you can manage your practice.

What the User Sees Next

After a reset, there's nothing the user needs to do until their next sign-in. At that point Entra walks them through re-registration automatically:

  1. They enter their username and password as usual.
  2. Entra prompts them to set up a sign-in method (typically Microsoft Authenticator, but it depends on the methods you've enabled).
  3. They follow the on-screen steps to register the new method, and they're back in.

If you want to control which methods appear here (say, disabling SMS or requiring Authenticator), see our guides on enabling authentication methods in Entra ID and changing MFA methods for Entra ID.

Troubleshooting: When a Reset Doesn't Take

Most resets work instantly, but here are the issues we see most often and how to clear them:

  • The user still isn't prompted to re-register. Entra changes can take several minutes to propagate. Have the user close their browser completely (or sign out of all sessions), wait about ten minutes, and try again. If you didn't revoke sessions, an existing valid token can keep them signed in without a fresh prompt.
  • You don't see the "Require re-register" button. You're likely missing the right role. Confirm you hold Authentication Administrator (for regular users) or Privileged Authentication Administrator (for admin accounts).
  • The user has no way to receive a code. If every enabled method depends on a device they no longer have, enable an alternative method (like Email OTP or a temporary access pass) before you reset, so they have a path back in.
  • You're resetting an administrator and it's blocked. Standard Authentication Administrators can't reset other admins by design. Use a Privileged Authentication Administrator account.
  • The account is a shared or break-glass account. Reset with caution, and make sure at least one emergency-access account always retains working credentials so you don't lock yourself out of the tenant.

Related Reading

If you're managing MFA and identity in Entra, we have some other guides that pair well with this one:

Frequently Asked Questions

How do I reset MFA for a user in Microsoft Entra?

Open the Microsoft Entra admin center, go to Identity > Users > All users, select the user, open Manage > Authentication methods, and click Require re-register multifactor authentication. The user sets up MFA again at their next sign-in.

What's the difference between "require re-register" and "revoke sessions"?

"Require re-register" clears the user's registered MFA methods so they enroll again at next sign-in. "Revoke multifactor authentication sessions" signs them out everywhere and invalidates their tokens so every device must re-authenticate. Use both when a device is lost or stolen.

What permissions do I need to reset a user's MFA?

The Authentication Administrator role can reset MFA for standard users. Resetting MFA for another administrator requires the Privileged Authentication Administrator role. Global Administrators can do both.

How long does an MFA reset take to apply?

Usually it's immediate, but changes can take several minutes to propagate. If the user still isn't prompted, have them sign out of all sessions, wait about ten minutes, and try again.

Can I reset MFA for many users at once?

Yes. Use the Microsoft Graph PowerShell SDK to remove registered authentication methods and revoke sessions in a script, which is far quicker than the portal for bulk or repeat resets.

Does resetting MFA change the user's password?

No. Resetting MFA only affects the user's multifactor authentication registration. Their password is unchanged.


Conclusion

That's it! Resetting MFA for an Entra ID user comes down to a few clicks in the Entra admin center or Azure portal, or a couple of lines of PowerShell if you're doing it at scale. Know which button you need (re-register to reset the method, revoke sessions to cut off access), confirm you have the right role, and give the change a few minutes to propagate.

If your practice would rather not think about Entra roles, authentication methods, and license mixes at all, that's where we come in. Cosmistack is an authorized Microsoft CSP partner, so we can handle your Microsoft 365 licensing at competitive pricing with consolidated billing, or take the whole tenant off your plate with our Managed IT services. Reach out anytime for a no-pressure consultation. Thanks for reading!

Loading...

Tags:

entramulti-factor authenticationazureactive directoryentra reset mfaentra id reset mfarequire re-register multifactor authenticationazure ad reset mfa

Disclaimer: The information provided in this article is for educational and informational purposes only. The techniques, tools, and technologies discussed are intended to be used by individuals with a solid understanding of the subject matter. Readers are entirely responsible for any actions they take based on the content of this article. This blog and its authors do not assume any responsibility for any unintended outcomes, data loss, or issues that may arise from following the instructions or recommendations provided.