M365 MFA / 2FA bypass

by | Apr 1, 2026 | email



It happens more often than you’d think — a user misplaces their phone and suddenly can’t get past the
multi-factor authentication prompt to access email and Microsoft 365.
As an administrator, you have two clean, secure paths to restore access without compromising your tenant’s security posture.

✓ Recommended

Reset the User’s MFA Methods

Forces the user to re-register MFA on their new or replacement device

  1. 1Sign in to the Microsoft Entra admin center at entra.microsoft.com
  2. 2Navigate to Identity → Users → All Users
  3. 3Search for and open the affected user’s profile
  4. 4Click Authentication methods in the left-hand pane
  5. 5Click “Require re-register multifactor authentication” — this invalidates all current MFA registrations
  6. 6Optionally delete any listed methods (Authenticator app, phone number, etc.) shown on screen
  7. 7The user will be prompted to set up MFA fresh on their next successful sign-in
💡 Tip
Use this option when the user has a replacement device in hand and can go through the Authenticator setup right away.

Option 2

Issue a Temporary Access Pass (TAP)

A time-limited passcode that bypasses MFA — ideal for immediate access while setting up a new device

  1. 1In the Entra admin center, go to Identity → Users → All Users
  2. 2Open the affected user’s profile
  3. 3Click Authentication methods
  4. 4Click + Add authentication method → Temporary Access Pass
  5. 5Configure the duration (e.g., 1–8 hours) and whether it is one-time or multi-use
  6. 6Copy the generated passcode and deliver it to the user through a secure, out-of-band channel
  7. 7The user signs in with their password + the TAP in place of MFA
  8. 8Once signed in, they can register a new Authenticator app or phone number
⚠ Pre-requisite
TAP must be enabled in your tenant before use. Verify at Entra admin center → Protection → Authentication methods → Temporary Access Pass — ensure it is Enabled and the user is within policy scope.

Prevent the Next Lockout

A few minutes of preparation now can turn a future lockout into a two-minute admin task.


  • Enable Authenticator cloud backup — Microsoft Authenticator supports account backup and restore. Encourage users to enable backup so they can restore credentials to a new phone instantly.

  • Register a secondary authentication method — Require key users to register a backup phone number or a hardware FIDO2 security key in addition to the Authenticator app.

  • Keep TAP policy enabled in your tenant — With TAP ready to go, you can resolve any MFA lockout in under two minutes without delays.

  • Educate users on the “My Security Info” portal — Users can self-manage their MFA methods at mysignins.microsoft.com before a crisis occurs. Encourage periodic review.

Need help managing your M365 environment?
Katy Computer Systems provides expert Microsoft 365 administration for businesses in the St. Louis area.

Skip to content