How does a Guest User reset their MS Authenticator MFA settings in Azure Active Directory?

Question

I know how to reset my Authenticator app MFA settings in my host tenant. I woud use this link https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 per instructions found here https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-manage-settings, and I would click on "Set up Authenticator app" button.

But how do I reset my MFA in a tenant where I am a Guest?

Answer 1

Provided you still have access to the original MFA device, or originally configured to also allow SMS MFA login, these instructions worked for me. This is based on what @Carl linked to above (http://www.uclabs.blog/2018/03/mfa-with-guest-access-and-different.html), but expanded out a bit as I struggled to follow it as written.

BTW I recommend doing all this in a private/incognito window, to be sure you know what you are logged in as.

1. Login to https://myapplications.microsoft.com/ using your 'normal' tenancy credentials.

2. Select the profile badge for you (circle, top right), and select 'Switch organisation' to log into the guest tenancy you want to reconfigure. At this point if you don't have access to the current MFA authenticator device you will need to use 'login another way' to use SMS MFA for this login.

3. Now, in the guest tenancy, select your badge again, and select 'My Profile'. If you don't see 'My Profile', use the ellipsis (...) and select to leave the 'new experience'. When the page reloads, now you should find the 'My Profile' link under your badge.

4. On the profile page, right hand side, you should see 'Additional Security Verification'. This should get you to this page in the guest tenancy: https://account.activedirectory.windowsazure.com/Proofup.aspx

5. From there you should see options to (re)setup your Authenticator app (scan the QR code etc...). Don't forget to delete the registration for your old phone too.

Answer 2

If you have only one MFA method set, and this method is lost to you, then as far as i know, you cannot join the guest organizations that you need to reset the MFA for. This means you cannot reset your authenticator app by going to your profile as is suggested in the other answer.

If you have set multiple methods for MFA (like authenticator AND phonenumber) then you may be able to log in using the 'Sign in another way' option. With this extra MFA option you can reset the MFA options that are lost to you, through 'https://myaccount.microsoft.com/'

When you are completely locked out of the tenants you are guest in, because you lost access to all your configured MFA options, what needs to be done is this:

1. Contact a global administrator of the organization you are guest in

2. Let her/him/them go to you user account (Azure Active Directory>Users)

3. Then she/he/they needs to select 'Profile > Authentication Methods'

4. And click 'Require re-register MFA'

5. After that you are asked to set-up MFA again for that organization when logging in.

Step 2:

Step4: