Prevent a Azure AD MFA User Lockout


Within Azure Multi-Factor authentication, a user can configure multiple options for the 2nd factor authentication. Beside those options the user can also configure multiple numbers within Azure Multi-Factor authentication which can be used when doing the 2nd factor authentication. But in practice most users will only configure one phone number. When the user than loses his phone or access to his number the user cannot use Azure MFA anymore. The user cannot change his phone number because a 2nd factor authentication is needed to access this information. So, this means that the user is locked out of Azure MFA and the only solution in this scenario is to call the Helpdesk and change the phone number. But there is a solution which prevents a user MFA lockout. This can be achieved by simply configuring a phone number in the user his account in your Active Directory or Azure Active Directory.

During configuring this within my lab I noticed that my phone numbers which I had configured in my users AD account where not used within Azure MFA. So, I did a little investigation and found out that the phone number must satisfy some convention. But let’s first show the issue:

  1. I configured a phone number within my test user AD account as showed in the image below:

    As you can see I used my country code followed by the phone number.

  2. Through AzureAD Connect this number is synced to Azure AD. You can find the number in the Office Phone attribute. See below the Test User’s AzureAD account:

  3. So, the next should be to check the users Azure MFA options to activate the Office phone as one of the Azure MFA 2nd factor authentication option for this user. But when we view the Azure MFA settings we will see that the number cannot be used and is not visible in Azure MFA:

  4. The issue behind the unavailability of the office number within Azure MFA is due to the format of phone number within the user’s AD Account. The format of phone numbers need to be <country code> <phone number>. Note the space between the country code and phone number. So let’s change the number in the test user AD Account so it has a space between the country code and the phone number:

  5. Azure AD Connect will sync this number to AzureAD and when we than check the users Azure MFA profile the number is visible and can be selected as Azure MFA authentication option:

So now we’ve fixed the use of the phone number from the user’s AD Account you probably wonder why do I need to use this configuration:

  • The Phone Number and Office Phone number is a synced attribute which cannot be changed by the user itself. So, you as Admin have the control over the fallback number;
  • You as Admin can provide a fallback option which the user can activate within his MFA profile. This number can be changed even when the user has no access to his Azure MFA profile anymore;
  • Calls to the Helpdesk for asking to change the phone number or resetting the user’s MFA profile are not needed anymore.

2 thoughts on “Prevent a Azure AD MFA User Lockout

  1. Josh

    But even if you configure the work number to sync wouldn’t the user still have to log on and select it as a MFA option?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.