Azure Identity

Fixing MFA and Passwordless Sign-In Failures: Registration, Methods Policy, and Number Match

The ticket says “I can’t log in.” That is the least useful sentence in identity support, because Microsoft Entra ID can refuse a sign-in at half a dozen different gates and every one of them looks the same to the user: a screen they can’t get past. Sometimes the password was fine but MFA registration never completed, so the user is trapped on “More information required” with no method to add. Sometimes the method was fine but the number-match push never arrived, or arrived and the user typed the wrong two digits. Sometimes a brand-new passkey enrolment is greyed out because the Authentication methods policy doesn’t allow it for that user’s group. Sometimes Conditional Access demands phishing-resistant MFA the user simply does not have. Same symptom, six root causes, six fixes — and the only way to tell them apart is to read the right signal.

This is the diagnostic playbook for that whole class of failure. We treat can’t-register, push-never-arrives, wrong-number-match, passkey-greyed-out, and Conditional-Access-blocked not as one bug but as distinct symptom classes, each with its own confirming evidence: a specific AADSTS code in the sign-in logs, a setting in the Authentication methods policy, or a row in the registration details report. Every diagnosis comes with the exact place to confirm it — an az rest/Graph call, a log filter, or a portal path — and the precise fix, laid out as scannable tables for the moment you reach for this with a locked-out VIP on the phone.

By the end you will stop guessing. When “I can’t log in” lands, you will know within two minutes whether you face an unregistered user, a method the policy doesn’t permit, a push suppressed by number-match changes, System-Preferred MFA picking a method the user can’t satisfy, a stale authentication strength, or simply a user who needs a Temporary Access Pass to bootstrap a passkey — the difference between a thirty-second fix and a two-hour escalation that resets MFA for an account that was never broken.

What problem this solves

Entra hides the machinery so that, when it works, a user types a password, approves a prompt, and they are in. That abstraction is a gift until it breaks — then the generic blue error screen tells the user (and the agent over their shoulder) almost nothing, because exposing why auth failed to a half-authenticated caller would be a security leak. The real reason is captured and precise, but it lives in the sign-in logs, the Authentication methods policy, and the registration details report — and if you don’t know which maps to which failure, you burn an hour clicking through the admin centre while the user waits.

What breaks without this knowledge is expensive: an agent “resets MFA” for a user whose MFA was fine (deleting working methods, creating a new registration gap), re-issues a password (when the password was never the problem), or files a support case and waits a day. Meanwhile the actual cause — a group excluded from the passkey policy, a per-user MFA state fighting Conditional Access, a number-match prompt the user keeps dismissing, or an MFA-registration policy blocking the very registration it requires — sits there, perfectly diagnosable, ignored.

Who hits this: every org past password-only, which is nearly all of them. It bites hardest during three transitions — turning on number matching (mandatory since February 2023, so “Approve/Deny” muscle memory breaks), rolling out passwordless/passkeys (registration prerequisites trip people constantly), and migrating off the legacy per-user MFA and SSPR policies to the unified Authentication methods policy (where settings silently move and old toggles stop applying). The fix is almost never “reset the user” — it is “find the gate refusing them and read what it’s actually saying.”

Every symptom class this article covers, the question it forces, and the one place to look first:

Symptom class What the user sees First question to ask First place to look Most common single cause
Can’t register a method “More information required” loop; no way to add Is registration allowed and reachable for this user? Sign-in logs (interrupt) + Authentication methods policy A CA policy blocks the registration endpoint, or the method is disabled for the user’s group
Push never arrives Approval screen waits, then times out Did the push leave the service, and is the app reachable? Authenticator app activity + sign-in log error code Notifications off / old app / network; or number-match confusion
Wrong number-match “That didn’t work, try again” Is the user reading the sign-in screen’s number? Sign-in screen vs app prompt User guesses instead of reading the number from the browser
Passkey/FIDO2 greyed out “Add passkey” missing or fails Is the method enabled for this user and prereqs met? Authentication methods policy → Passkey (FIDO2) Method off, key-restriction (AAGUID) blocks it, or no TAP to bootstrap
System-Preferred picks wrong method Prompted for a method they don’t have What does Entra consider their strongest method? Registration details report System-Preferred MFA promotes a method the user never set up
Conditional Access blocks sign-in “You can’t get there from here” grant failure Which grant control failed, and do they hold it? Sign-in logs → Conditional Access tab Auth-strength requires phishing-resistant MFA the user lacks

Learning objectives

By the end of this article you can:

Prerequisites & where this fits

You should already understand the Entra basics: a tenant is your directory; users sign in to it; MFA adds a second proof beyond the password; and an authentication method (Microsoft Authenticator push, passkey/FIDO2, SMS, voice, OATH/TOTP, Temporary Access Pass) is the thing that proves it. Background lives in Microsoft Entra ID Fundamentals: Tenants, Users, Groups & RBAC and the wider authentication picture in Authentication in Azure: SSO, MFA, Passwordless & Conditional Access. You should be comfortable running az in Cloud Shell, reading JSON, and calling Graph via az rest.

This sits in the Identity & access track, in its troubleshooting wing. It assumes the why of phishing-resistant MFA from Authenticator Passkeys and Number Matching: Stopping MFA Fatigue Attacks, and pairs with the rollout mechanics in Rolling Out FIDO2 Passwordless Authentication in Entra ID: Security Keys, Passkeys, and Windows Hello for Business and Rolling Out Phishing-Resistant Passwordless Auth: FIDO2, Passkeys, and Break-Glass Design, because half of these failures appear during a rollout. The enforcement layer is Conditional Access — deployed safely in Deploying Conditional Access Safely: Report-Only Rollout to Enforcement and at scale in Designing Conditional Access at Scale: A Persona-Based Policy Framework with Authentication Context and Filters.

Know which blade owns which decision, so you open the right one first:

Layer What lives here Who usually owns it Failure classes it can cause
Authentication methods policy Which methods are allowed, and for which groups Identity admin Method greyed out; passkey disabled; SMS off
Per-user MFA (legacy) Old per-account Enabled/Enforced state Identity admin (legacy) “Required” loops that fight CA; double prompts
SSPR policy (legacy) Which methods register for password reset Identity admin (legacy) Split registration; method registered for SSPR not MFA
Combined registration The aka.ms/mysecurityinfo enrolment UX Microsoft (platform) “Can’t add method” if interrupted/blocked
Conditional Access When a strong method is required Security / identity Grant failure; auth-strength can’t be met; registration blocked
The user’s device / app Authenticator app, OS, browser, security key End user / endpoint team Push never arrives; passkey unsupported; clock skew

Core concepts

Six mental models make every later diagnosis obvious.

Registration and authentication are different events that fail differently. Registration is the one-time act of adding a method at aka.ms/mysecurityinfo (Combined registration); authentication is using one to satisfy a sign-in. A user with no method can’t do MFA — but that shows up as an interrupt (“More information required”), not a denial. The first fork: does this user have a usable method at all, or one being refused? The registration details report answers the first; the sign-in logs the second.

The Authentication methods policy decides what’s allowed; Conditional Access decides what’s required. Two engines that fail in opposite ways. The methods policy is an allow-list — a method is absent if it isn’t enabled for the user’s group (symptom: “the option isn’t there”). Conditional Access is a gate — it can require a method or authentication strength the user doesn’t hold (symptom: “I got blocked”). Mixing these up sends you to the wrong blade for an hour.

Number matching changed the push contract, and it is not optional. Since February 2023, number matching is enforced for all Authenticator push tenant-wide — tap-to-approve is gone. The sign-in screen shows a two-digit number the user must read and type into the app; if they can’t see the screen or they guess, it fails. Many post-2023 “push is broken” tickets are really “the user doesn’t know to read the number.” Additional context (app name + location in the prompt) is a related, separately-toggled setting.

System-Preferred MFA promotes the strongest method automatically. Entra defaults to prompting the most secure method the user registered (passkey > Authenticator push > phone). Good security, but it surprises people — someone who “always used SMS” is suddenly asked for Authenticator because they once registered it, and if that registration is broken they’re stuck while a working SMS sits unused.

Passwordless registration has prerequisites and a chicken-and-egg trap. A passkey (a phishing-resistant FIDO2 credential on a security key, a platform authenticator, or device-bound in Authenticator) registers only if the methods policy enables it, the AAGUID key-restriction (if set) permits the model, and the user can already sign in strongly enough to reach registration. That last point is the trap — the escape hatch is a Temporary Access Pass (TAP), a time-limited passcode an admin issues to bootstrap the first strong credential.

The legacy MFA and SSPR settings still exist and still bite. Tenants ran per-user MFA (the old Enabled/Enforced state) and the SSPR registration policy for years; they coexist with the unified methods policy and contradict it — a user Enforced for per-user MFA can be double-prompted under CA, and a method registered only for SSPR may not count for MFA. The fix is the migration to the unified policy; until then, these overlaps cause “works for some users, not others.”

Every term above is defined for lookup in the Glossary at the end; the deep sections from here assume the six models.

The AADSTS error-code reference

Before the per-symptom anatomy, here is the lookup you scan first — the AADSTS codes you realistically see for MFA, registration and method failures, what each means on this platform, where to confirm it, and the first fix. The non-obvious ones are 50079 (registration required, no method) versus 50074/50076 (MFA required but not satisfied), 500121 (the catch-all for “push timed out / number wrong / denied”), and 530031 (auth-strength gap) versus 53003 (generic CA block). Treat the AADSTS code as the front door to the whole diagnosis.

AADSTS code Meaning Likely cause How to confirm First fix
50058 Silent sign-in failed; interactive required Session/cookie issue, no active session Sign-in log “interrupted”; browser state Sign in interactively; clear stale session
50074 Strong auth (MFA) required, not satisfied MFA expected by policy, user didn’t complete Sign-in log error + CA tab Complete MFA; check which method is prompted
50076 MFA required due to Conditional Access A CA policy demands MFA on this resource Sign-in log → CA tab shows the policy User completes MFA; verify they have a method
50079 User must enrol in MFA (registration required) No usable method registered; proof-up triggered Sign-in log “interrupt”; registration report Register a method (or issue a TAP)
50072 User prompted to set up MFA (SSPR/MFA reg) Security-info registration interrupt Sign-in log interrupt Complete registration at mysecurityinfo
500121 Authentication failed during MFA request Push timed out, number wrong, user denied Sign-in log “Additional Details” Re-attempt; check delivery + number match
50125 Sign-in interrupted by password reset/registration SSPR or combined-registration interrupt Sign-in log interrupt event Finish the registration/reset flow
50131 Conditional Access condition not met (device/location) Compliant-device or other grant unmet Sign-in log → CA tab Satisfy the grant (enrol device, etc.)
53003 Access blocked by Conditional Access A CA grant blocked the sign-in Sign-in log → CA tab names policy + control Adjust policy / give user the required control
53004 Must set up strong auth (proof-up) blocked CA requires strong auth user can’t register here CA tab + auth-strength on the grant Issue TAP; allow registration path
530031 Auth-strength requirement not met CA auth-strength wants a method user lacks CA tab shows the strength + method gap Register a qualifying method (e.g. passkey)
65001 User/admin has not consented App permission/consent missing (app sign-in) Sign-in log; enterprise app consent Grant consent (admin/user)

Three reading notes that save the most time:

Distinction The trap How to tell them apart
Interrupt vs failure Both stop the user; only one is a “block” The sign-in log marks registration/SSPR events as interrupts (status “interrupted”), not failures — the user must finish a flow, not “be allowed in”
MFA required (50074/50076) vs not registered (50079) Looks like “MFA broke” 50079/50072 mean there’s no method to use (fix = register); 50074/50076 mean a method exists but wasn’t satisfied (fix = deliver/complete it)
CA block (53003) vs auth-strength gap (530031) “Conditional Access blocked me” hides the reason 53003 is a generic grant block; 530031 specifically means the authentication strength wanted a stronger method than the user holds

Symptom 1 — The user can’t register a method

The user lands on “More information required” (or aka.ms/mysecurityinfo) and either sees no way to add a method, or the add fails. Three causes — scan, then read the matching detail:

# Registration cause Tell-tale signal Confirm with Real fix
1 The method isn’t enabled for this user The method tile is missing/greyed in Security info Authentication methods policy → method → target groups Enable the method for the user’s group
2 A CA policy blocks the registration flow Sign-in log interrupt → CA blocked the register security info action Sign-in log → CA tab on the registration event Exclude registration from the blocking policy, or scope an MFA-registration policy correctly
3 Per-user MFA / SSPR split confuses the UX Method shows for SSPR but not MFA, or vice-versa Legacy SSPR policy vs Authentication methods policy Finish the migration to the unified policy

Cause 1 — The method isn’t enabled for the user

The tile is absent from Security info because the Authentication methods policy doesn’t target that user’s group for that method — the user isn’t broken, the policy never offered the option. Confirm by reading the method’s config and its target (Graph is the source of truth; the portal hides per-group detail):

# Read the Microsoft Authenticator method config (state + who it targets)
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator" \
  --query "{state:state, includeTargets:includeTargets}"

If state is disabled, or includeTargets doesn’t contain a group the user is in, that’s why the tile is missing. Fix: enable the method and include the user’s group (or all_users):

az rest --method PATCH \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator" \
  --headers "Content-Type=application/json" \
  --body '{
    "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",
    "state": "enabled",
    "includeTargets": [ { "targetType": "group", "id": "<group-object-id>", "isRegistrationRequired": false } ]
  }'

The complete method set, with what each is for and the gotcha that most often hides the tile:

Method What it provides Enabled by default? Most common “missing tile” cause
Microsoft Authenticator (push) Number-matched push approval Often on (varies by tenant age) Group not targeted; or only “passwordless” mode on
Passkey (FIDO2) Phishing-resistant credential Off until you enable it Method disabled, or AAGUID restriction excludes the device
Temporary Access Pass Time-limited bootstrap passcode Off until you enable it Not enabled; can’t bootstrap passwordless
SMS / text message OTP to phone Varies; being de-emphasised Disabled for security; or number not verified
Voice call OTP read over a call Varies Often disabled tenant-wide
Third-party OATH / TOTP 30-second software/hardware code Configurable Hardware OATH needs token upload first
Email OTP Code to email (mainly guests) Guests only by default Not for member-user MFA by design

Cause 2 — A Conditional Access policy blocks the registration flow

The cruel one: a Conditional Access policy meant to secure sign-in accidentally blocks the user from registering the method it requires — either a broad “require MFA / compliant device for all apps” policy catches the registration interaction, or a purpose-built “MFA registration” policy is mis-scoped to require MFA to register MFA, an impossible loop for a user with no method yet. Confirm by reading the failed sign-in’s Conditional Access tab; the flow shows as the user action “Register security information.”

# Recent failed/interrupted sign-ins for one user, with the CA-relevant fields
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$top=10&\$filter=userPrincipalName eq 'amir@contoso.com'" \
  --query "value[].{time:createdDateTime, app:appDisplayName, code:status.errorCode, reason:status.failureReason}" -o table

In the portal, the event’s Conditional Access tab shows each policy as Success / Failure / Not applied; a policy in Failure against the registration action is your culprit.

Fix. Issue a Temporary Access Pass (Symptom 3) as the bootstrap so the user can satisfy the policy and register, and exclude the registration user-action from device-compliance grants. The Conditional Access mechanics here are exactly what Deploying Conditional Access Safely: Report-Only Rollout to Enforcement walks through — run the policy report-only first and read who it would have blocked.

Cause 3 — The legacy per-user MFA / SSPR split confuses registration

In tenants that haven’t finished the migration, a method registered for SSPR (password reset) may not count for MFA, or per-user MFA interrupts with the old registration UX instead of Combined registration — users register “something” and it doesn’t help where they need it. Confirm by checking the migration state:

# Read the top-level Authentication methods policy (includes migration state)
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy" \
  --query "{policyVersion:policyVersion, migrationState:policyMigrationState}"

If policyMigrationState is preMigration or migrationInProgress, the legacy policies still partly govern behaviour.

Fix. Move each method into the unified Authentication methods policy, verify parity, then set the migration to complete (migrationComplete). After migration, registration is unified and a method counts for both MFA and SSPR wherever it’s enabled — ending the split where a method registered under the legacy SSPR policy didn’t satisfy an MFA prompt.

Symptom 2 — The push never arrives (or number match fails)

The user reaches the approval step but the push never shows, or it shows and the two-digit number entry fails. Since number matching is enforced, this class changed shape in 2023. Five causes follow — notifications off/stale app, number-match confusion, a blocked push-service path, missing additional context, and clock-skewed TOTP (rows 5–7 and 12–13 of the centerpiece playbook).

Cause 1 — Notifications are off or the app is out of date

The plainest and most common cause: Authenticator notifications are disabled, the app predates number matching, the device is in Focus/Do-Not-Disturb, battery optimisation restricts it (Android), or the account was removed. A 500121 in the sign-in log with the user never completing corroborates a delivery problem (not a denial). Confirm and fix on the device: allow Authenticator notifications (disable Focus/DND), update the app, exclude it from battery optimisation, and re-add the account if missing (re-register via mysecurityinfo).

Cause 2 — Number-match confusion (the post-2023 classic)

Number matching is enforced, so the browser shows a two-digit number the user must read and type into the app. Users trained on tap-to-approve don’t look at the browser, sign in on the same phone (so they can’t see the number while in the app), or simply guess — the app says “that didn’t work,” and they conclude push is broken. Confirm: this is a coaching diagnosis — if the user describes only “Approve/Deny,” their app is stale (Cause 1); if they see a keypad but keep failing, it’s match confusion. The sign-in log shows 500121.

Fix. Coach the flow: read the two-digit number from the device showing the sign-in screen (usually the browser), then type it in Authenticator. There is no setting to “turn off” number matching — it is permanent, so stop hunting for the toggle; if the user has no screen to read the number from, fall back to voice or a verification code.

Cause 3 — The push-service path is blocked on the network

Push delivery rides APNs (Apple) and FCM (Google) plus Microsoft endpoints, so a locked-down corporate network or a misbehaving MDM/proxy can block it — pushes arrive on cellular but never on Wi-Fi. Confirm by reproducing on cellular (disable Wi-Fi); if the push arrives, the network is the cause. Fix by allowing the push endpoints in the firewall/proxy and excluding Authenticator from MDM traffic interception; as a fallback, a code-based method (TOTP / verification code in the app) needs no inbound push.

Cause 4 — Additional context is off, so users distrust the prompt

Additional context shows the application name and sign-in location in the prompt. Without it, a legitimate prompt looks identical to a malicious one, so security-aware users deny real sign-ins — less “push broken” and more “push denied wrongly.” Confirm by reading the Authenticator policy’s displayAppInformationRequiredState and displayLocationInformationRequiredState:

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator" \
  --query "featureSettings"

Fix. Enable both context settings and target the relevant group. The threat model behind this — why context plus number matching defeats push-bombing — is the subject of Authenticator Passkeys and Number Matching: Stopping MFA Fatigue Attacks.

Cause 5 — Clock skew breaks the TOTP fallback

When the user falls back to a verification code (TOTP / OATH), the 30-second code is time-based, so a phone clock off by more than ~30–90 seconds makes every code “incorrect” — looking like a broken method. Confirm by comparing device time to network time; fix by turning on automatic date and time so the clock syncs, then retry. This affects code-based methods only — push and passkey aren’t time-code-based.

Symptom 3 — Passkey or FIDO2 registration is greyed out or fails

The user tries to add a passkey (in Authenticator, on a security key, or a platform authenticator) and the option is missing, disabled, or registration errors. Four causes follow — the method disabled in policy, an AAGUID key-restriction excluding the device, no way to bootstrap (chicken-and-egg), and an unsupported browser/OS/attestation (rows 2–4 of the centerpiece playbook).

Cause 1 — The passkey method is disabled in policy

Passkey/FIDO2 is off until you explicitly enable it in the Authentication methods policy, so by default the “Add passkey” path doesn’t exist. Confirm by reading the FIDO2 method config:

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Fido2" \
  --query "{state:state, attestation:isAttestationEnforced, restrictions:keyRestrictions, targets:includeTargets}"

state: disabled is the cause. Fix: enable FIDO2 and target the group — and set the two enforcement knobs (attestation and key restrictions) deliberately:

az rest --method PATCH \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Fido2" \
  --headers "Content-Type=application/json" \
  --body '{
    "@odata.type": "#microsoft.graph.fido2AuthenticationMethodConfiguration",
    "state": "enabled",
    "isAttestationEnforced": false,
    "isSelfServiceRegistrationAllowed": true,
    "keyRestrictions": { "isEnforced": false, "enforcementType": "allow", "aaGuids": [] },
    "includeTargets": [ { "targetType": "group", "id": "<group-object-id>" } ]
  }'

The full FIDO2/passkey policy knobs and what each one breaks if set wrong:

Setting What it controls Default Failure if mis-set
state Method enabled/disabled disabled “Add passkey” missing entirely
isSelfServiceRegistrationAllowed Users may self-register true (when enabled) Users can’t add their own passkey
isAttestationEnforced Require authenticator attestation varies Registration fails for keys with no/blocked attestation
keyRestrictions.isEnforced Turn AAGUID allow/block on false Combined with allow-list → excludes other models
keyRestrictions.enforcementType allow (allow-list) or block (block-list) allow Wrong type silently excludes the user’s key
keyRestrictions.aaGuids The list of permitted/blocked models empty Empty allow-list blocks everything
includeTargets Which groups get the method none until set User’s group not included = greyed out

Cause 2 — An AAGUID key-restriction excludes the device

Each FIDO2 model has an AAGUID (a 128-bit identifier). With key restrictions set to allow a specific list, any model not on it is refused — classically the Authenticator app’s own device-bound passkey AAGUID, which teams forget to add, so enabled-but-restricted looks identical to “broken.” Confirm via keyRestrictions: isEnforced: true, enforcementType: allow, and the user’s AAGUID absent from aaGuids is the block.

Fix. Add the AAGUID(s) to the allow-list (allow admits only listed models, so forgetting one silently blocks it), switch to a block-list (block refuses only listed models, admits the rest), or set isEnforced: false for a broad rollout.

Cause 3 — The bootstrap chicken-and-egg (no TAP)

To register a passkey securely a user often needs to already be authenticated strongly — but a brand-new or freshly-reset user has no strong method yet, so they can’t sign in to reach registration and can’t register because they can’t sign in. Onboarding stalls here for every new passwordless user. Confirm: the user has no usable method (registration report empty) and Conditional Access requires strong auth to reach registration — 53004 (“must set up strong auth”) or a registration interrupt with nothing to satisfy it.

Fix. Issue a Temporary Access Pass (TAP) — a time-limited passcode that itself satisfies MFA, letting the user sign in once and register a passkey. Enable TAP in the policy, then issue one:

# 1) Ensure TAP is enabled in the Authentication methods policy
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/TemporaryAccessPass" \
  --query "{state:state, defaultLifetimeMinutes:defaultLifetimeInMinutes, isUsableOnce:isUsableOnce}"

# 2) Issue a TAP for the user (admin needs Authentication Administrator)
az rest --method POST \
  --url "https://graph.microsoft.com/v1.0/users/amir@contoso.com/authentication/temporaryAccessPassMethods" \
  --headers "Content-Type=application/json" \
  --body '{ "lifetimeInMinutes": 60, "isUsableOnce": false }'

The response includes the temporaryAccessPass value — hand it to the user over a verified channel. The TAP settings and what each controls:

TAP setting What it does Typical value Gotcha
state TAP enabled tenant-wide enabled (to use it) Off = can’t bootstrap passwordless
defaultLifetimeInMinutes Default validity 60 Too short and the user can’t finish registering
minimumLifetimeInMinutes / maximum… Allowed range 10 min – 8 hrs (configurable) Issuing outside the range fails
isUsableOnce One-time vs multi-use depends on use case One-time TAP can’t cover a multi-step onboarding
includeTargets Who can be issued a TAP targeted group Admin can’t issue if the user isn’t targeted

The TAP-to-passkey onboarding is exactly the flow detailed in Rolling Out FIDO2 Passwordless Authentication in Entra ID: Security Keys, Passkeys, and Windows Hello for Business.

Cause 4 — Browser, OS, or attestation isn’t supported

The FIDO2 registration ceremony runs in the browser against the OS/authenticator, so an unsupported browser/OS combination, a key the org’s attestation enforcement rejects, or a platform that can’t do device-bound passkeys yet all error mid-ceremony. Confirm by the WebAuthn/browser error or that it fails only on certain devices (if isAttestationEnforced: true, keys lacking valid attestation metadata are refused). Fix by using a supported current browser/OS; for trusted keys without attestation, set isAttestationEnforced: false deliberately, and match the authenticator to the platform — device-bound passkeys in Authenticator, security keys, or platform authenticators (Windows Hello / Apple / Google), as covered in Rolling Out Phishing-Resistant Passwordless Auth: FIDO2, Passkeys, and Break-Glass Design.

Symptom 4 — System-Preferred MFA prompts a method the user can’t use

The user complains Entra asks for a method they “don’t use” — typically Authenticator when they expected SMS. System-Preferred MFA (on by default) prompts the strongest registered method, so a once-registered, now-broken Authenticator shadows a working phone. Confirm by reading the user’s registered methods (the registration details report, or Graph):

# What methods has this user actually registered?
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/users/amir@contoso.com/authentication/methods" \
  --query "value[].{type:'@odata.type'}" -o table

Check the System-Preferred setting on the Authenticator policy:

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator" \
  --query "featureSettings.numberMatchingRequiredState"

Fix. The right fix is to repair or remove the broken strongest method so System-Preferred promotes the working one — not to disable System-Preferred (which is a security regression). If a user genuinely should use a weaker method, remove the stronger registration. The promotion order Entra uses (strongest first):

Rank Method Why ranked here
1 Passkey / FIDO2 Phishing-resistant; cryptographically bound
2 Authenticator (passwordless sign-in) Phishing-resistant device-bound credential
3 Authenticator push + number match Strong, but relays are theoretically possible
4 Hardware/software OATH (TOTP) Code-based; phishable in real time
5 SMS / voice Weakest; SIM-swap and OTP phishing

So a user who registered Authenticator long ago (now broken) but still has working SMS is correctly prompted for the Authenticator they can’t satisfy — repair or remove it and SMS gets promoted. A user prompted for a passkey they “forgot” simply has the strongest method they own. Only-SMS users get SMS; that’s working as intended.

Symptom 5 — Conditional Access blocks the sign-in

The user authenticates fine but is blocked by a grant they can’t satisfy — most often a Conditional Access authentication strength demanding phishing-resistant MFA the user doesn’t have, or an MFA-required grant on a resource. The status code is 53003 (generic block) or 530031 (auth-strength gap).

Confirm. Open the failed sign-in and read the Conditional Access tab — it names every policy, the grant control, and whether it passed, failed, or was report-only:

# Pull the sign-in and surface the CA failure reason + status code
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$top=5&\$filter=userPrincipalName eq 'amir@contoso.com' and status/errorCode ne 0" \
  --query "value[].{time:createdDateTime, code:status.errorCode, reason:status.failureReason, ca:conditionalAccessStatus}" -o table

A conditionalAccessStatus of failure, with 530031, means an authentication strength wanted a stronger method than the user holds.

Fix. Either give the user a qualifying method (register a passkey so they can satisfy a phishing-resistant strength), or — if the policy is over-scoped — correct it. Always exclude break-glass accounts from every blocking policy so a CA mistake never locks you out entirely. The grant controls that produce these blocks and how to satisfy each:

Grant control What it requires Status when unmet How the user satisfies it
Require MFA Any second factor 50074 / 50076 Complete any registered MFA method
Require authentication strength (phishing-resistant) Passkey/FIDO2/WHfB only 530031 Register and use a passkey
Require compliant device Intune-compliant device 50131 Enrol/compliance-remediate the device
Require Hybrid Entra join Domain-joined + synced 50131 Use a corporate-joined device
Block access Hard deny (location/risk) 53003 Meet the condition (network, risk remediation)

The auth-strength built-ins, and which methods satisfy each — so you know instantly whether a user can pass:

Built-in authentication strength Satisfying methods When you’d require it
MFA strength Push, OATH/TOTP, SMS, voice, passkey, WHfB, certificate Baseline MFA on most apps
Passwordless MFA strength Authenticator passwordless, passkey, WHfB, certificate Removing passwords for a group
Phishing-resistant MFA strength Passkey/FIDO2, Windows Hello for Business, certificate-based Admins, high-value apps

Getting the right users to hold the right strength is the subject of Designing Conditional Access at Scale: A Persona-Based Policy Framework with Authentication Context and Filters.

Architecture at a glance

Picture the sign-in as a relay of five gates between the user and the app, each MFA failure class living at exactly one gate. First the password gate (out of scope — assume it’s right). Then the registration gate: “does this identity have a usable, registered method?” — if not, Entra doesn’t deny, it interrupts with “More information required” and routes to Combined registration. Third is method availability: a registered user can only use methods the Authentication methods policy enables for their group — a disabled or un-targeted method is simply absent. Fourth is delivery and proof: the method must work end-to-end — the push arrives and the user reads the number-match digits, or the passkey ceremony completes, or the TOTP code is in time. Fifth is Conditional Access: even a perfectly proven sign-in is blocked if a grant — most sharply an authentication strength — demands a stronger method than the user holds.

The whole method is “which gate refused, and what is it saying?” The AADSTS code names the gate: 50079/50072 is the registration gate (no method), 500121 is the delivery/proof gate (method exists, not completed), 530031 is the Conditional Access gate (method too weak). Crucially, the registration gates interrupt rather than block — the logs mark them “interrupted,” not “failure,” your fastest tell that the user must finish a flow, not be granted something. Every path converges on the same three instruments — the sign-in logs, the Authentication methods policy, and the registration details report.

Real-world scenario

Nimbus Financial, a 1,400-seat fintech in Central India, ran a six-week programme to move admins and finance to phishing-resistant sign-in: passkeys in Microsoft Authenticator, enforced by a Conditional Access authentication strength. The identity team was three engineers, already past number matching and mid-migration from the legacy per-user MFA/SSPR policies to the unified Authentication methods policy.

Week three is when tickets spiked. Forty-odd newly onboarded finance staff reported the same thing: “I can’t finish setting up my login.” The help-desk reflex was to reset MFA, which made it worse — it deleted whatever the users had started and dropped them to zero. By Thursday the queue had a VP of Finance in it.

The breakthrough was reading the sign-in logs instead of trusting the symptom. Every stuck user showed the same pattern: an interrupt (not a failure) routing to Register security information, and on that event a Conditional Access policy in Failure — the team’s own “Require phishing-resistant MFA for Finance” strength was scoped to all Finance apps including the registration interaction. New users had no passkey yet (that’s what they were registering), so the strength they couldn’t meet was blocking the very page where they’d meet it. Classic chicken-and-egg, dressed up as “MFA is broken.” A smaller cluster failed differently: their “Add passkey” was greyed out — the team had enabled passkeys in Authenticator but set AAGUID key-restrictions to an allow-list of two hardware keys and forgotten the Authenticator-app AAGUID.

The fix landed in two moves. Immediately: issue Temporary Access Passes (60-minute, multi-use) so users could satisfy MFA once, reach registration, and enrol a passkey — and add the Authenticator AAGUID to the allow-list so the device-bound passkey could register. Structurally: re-scope the strength so the registration action is reachable with a TAP (and go report-only for a week first next time), and finish the migration so the SSPR split stopped registering methods that didn’t count for MFA. Onboarding went from ~5 stuck users a day to zero; the new runbook reads, in bold, “Issue the TAP first. A user with no method cannot pass a policy that requires one.”

The incident as a timeline, because the order of moves is the lesson:

Time Symptom Action taken Effect What it should have been
Wk3 Mon 8 users “can’t finish setup” Reset MFA Worse — wiped partial registration Read the sign-in log first
Wk3 Tue 20 users; VP in queue Reset passwords No effect (password fine) Don’t reset; look for the interrupt
Wk3 Wed 40 users Open sign-in logs → CA tab Found CA Failure on “Register security info” This was the breakthrough
Wk3 Wed Root cause #2 found Check FIDO2 keyRestrictions Authenticator AAGUID missing from allow-list
Wk3 Thu Mitigated Issue TAPs; add AAGUID Users register passkeys; queue drains Correct fix
Wk4 Fixed Re-scope strength; finish migration; report-only next time 0 stuck users The actual fix is policy + bootstrap

Advantages and disadvantages

The unified, policy-driven Entra authentication model both causes this class of problem and makes it diagnosable. Weigh it honestly:

Advantages (why this model helps you) Disadvantages (why it bites)
The sign-in logs capture the exact AADSTS code and full Conditional Access result per attempt — you rarely lack evidence The user only ever sees a generic blue error; the real reason is in logs they can’t read, so “I can’t log in” is all you get
The Authentication methods policy is one allow-list with per-group targeting and a Graph API — auditable and scriptable Per-group targeting means a method can be missing for some users only, producing maddening “works for me” reports
Number matching and passkeys genuinely kill fatigue and phishing attacks Number matching broke years of tap-to-approve muscle memory; passwordless adds registration prerequisites that trip onboarding
System-Preferred MFA auto-promotes the strongest method — security improves with no user effort It surprises users by prompting a method they forgot they had, and can shadow a working weaker one with a broken stronger one
TAP cleanly solves the passwordless bootstrap problem If you forget to issue it, new users are stuck in a chicken-and-egg they can’t escape
Conditional Access auth-strengths let you demand exactly the assurance a resource needs An over-scoped strength can block the registration page itself, or lock out users (and admins) who lack the method
The migration to the unified policy ends years of legacy-setting confusion Mid-migration, legacy per-user MFA and SSPR overlap the new policy and produce contradictory behaviour

The model is right for any org serious about identity assurance: the controls that bite (number match, passkeys, auth-strengths) are exactly the ones that stop real attacks. The disadvantages are all manageable once you know they exist — issue the TAP, add the AAGUID, scope the strength to leave registration reachable, finish the migration.

Hands-on lab

Inspect the live policy that governs all of this, then safely toggle a method and issue a Temporary Access Pass — all free-tier-friendly on a test user. You need Authentication Policy Administrator (or higher) and a non-admin test user. Run in Cloud Shell (Bash). Nothing here costs money; Entra MFA configuration is included with the directory.

Step 1 — Sign in and confirm your context.

az login --only-show-errors -o none
az ad signed-in-user show --query "{me:userPrincipalName}" -o table

Step 2 — Read the top-level Authentication methods policy and its migration state.

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy" \
  --query "{version:policyVersion, migration:policyMigrationState}"

Expected: a policyMigrationState of preMigration, migrationInProgress, or migrationComplete. If it isn’t migrationComplete, legacy settings still partly apply.

Step 3 — Inspect each method’s state and targeting.

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations" \
  --query "value[].{method:id, state:state}" -o table

Expected: rows for MicrosoftAuthenticator, Fido2, Sms, TemporaryAccessPass, etc., each enabled or disabled. This is the allow-list every “missing tile” traces back to.

Step 4 — Check whether your test user has any registered method (the registration gate).

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/users/<test-user-upn>/authentication/methods" \
  --query "value[].'@odata.type'" -o table

Expected: a list (possibly just passwordAuthenticationMethod — a password-only user hits the registration interrupt at MFA).

Step 5 — Confirm TAP is enabled, then issue one for the test user.

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/TemporaryAccessPass" \
  --query "{state:state, default:defaultLifetimeInMinutes}"

az rest --method POST \
  --url "https://graph.microsoft.com/v1.0/users/<test-user-upn>/authentication/temporaryAccessPassMethods" \
  --headers "Content-Type=application/json" \
  --body '{ "lifetimeInMinutes": 60, "isUsableOnce": false }' \
  --query "{tap:temporaryAccessPass, startsAt:startDateTime, lifetime:lifetimeInMinutes}"

Expected: a temporaryAccessPass value. The test user can now sign in with it and register a passkey — the bootstrap that breaks the chicken-and-egg. (If TAP state is disabled, enable it first via PATCH, as in Symptom 4.)

Step 6 — Read the test user’s recent sign-ins and surface any AADSTS codes.

az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$top=5&\$filter=userPrincipalName eq '<test-user-upn>'" \
  --query "value[].{time:createdDateTime, code:status.errorCode, reason:status.failureReason, ca:conditionalAccessStatus}" -o table

Expected: recent attempts with their errorCode — the gate-identifier you map with the AADSTS reference table.

Validation checklist. You read the policy and migration state, enumerated allowed methods, confirmed whether a user has a usable method, issued a TAP to bootstrap passwordless, and pulled the AADSTS codes that name each gate — the whole diagnostic loop without touching production users.

Cleanup. Revoke the test TAP if you won’t use it (delete the method by its id), and revert any method state you changed for the lab:

# List the user's TAP method ids, then delete the one you issued
az rest --method GET \
  --url "https://graph.microsoft.com/v1.0/users/<test-user-upn>/authentication/temporaryAccessPassMethods" \
  --query "value[].id" -o tsv
# az rest --method DELETE --url ".../temporaryAccessPassMethods/<id>"

Cost note. Nothing in this lab incurs charges — MFA, the Authentication methods policy, TAP and sign-in logs are part of the directory. (Some advanced controls such as Conditional Access and Identity Protection require Entra ID P1/P2 licensing, covered under Cost & sizing.)

Common mistakes & troubleshooting

This is the playbook — the part you bookmark, a scannable table you can read with a locked-out VIP on the phone. It spans the basic failures (push off, wrong number, method disabled) and the advanced ones (CA blocks registration, AAGUID restriction, mid-migration split, System-Preferred shadowing); the full reasoning for each row is in the matching Symptom section above.

# Symptom Root cause Confirm (exact cmd / portal path) Fix
1 “More information required” loop; no way to add a method A CA policy blocks the Register security information action Sign-in logs → open event → Conditional Access tab shows Failure on the registration action Issue a TAP; re-scope the policy so registration is reachable
2 “Add passkey” tile is missing entirely FIDO2 method disabled in policy or group not targeted az rest GET .../authenticationMethodConfigurations/Fido2 --query state = disabled Enable FIDO2 and add the user’s group to includeTargets
3 Passkey enabled but this device is refused AAGUID key-restriction allow-list excludes the model ... Fido2 --query keyRestrictions (isEnforced:true, AAGUID absent) Add the device/Authenticator AAGUID to aaGuids
4 New user can’t sign in to register a passkey Bootstrap chicken-and-egg — no strong method yet Sign-in log 53004/registration interrupt; user has no method Issue a Temporary Access Pass
5 Push never arrives on the phone Notifications off, app stale, or account removed Phone OS notification settings; app version; account present Enable notifications; update app; re-add account
6 Push arrives, “that didn’t work, try again” Number-match confusion — user guesses or can’t see the screen Sign-in screen shows the 2-digit number; log 500121 Coach: read the number from the browser, type it in the app
7 Push works on cellular, never on Wi-Fi Push-service path (APNs/FCM) blocked by network/MDM Reproduce on cellular; check firewall/proxy/MDM Allow push endpoints; exclude app from interception
8 Prompted for Authenticator when only SMS works System-Preferred MFA promotes a broken stronger method ... methods lists a stale Authenticator; promotion order Repair or remove the broken stronger method
9 Sign-in blocked: “you can’t get there from here” CA authentication strength wants a method the user lacks Sign-in logs → CA tab; status 530031 Register a qualifying method (passkey); or fix scope
10 Method registered but doesn’t satisfy MFA Registered for SSPR only, mid-migration split .../authenticationMethodsPolicy --query policyMigrationState ≠ complete Finish migration; register the method under the unified policy
11 Random double MFA prompts for some users Legacy per-user MFA state fighting Conditional Access Legacy MFA portal shows user Enforced Set per-user MFA to Disabled; let CA govern
12 TOTP/OATH code always rejected Clock skew on the device breaks time-based codes Device time vs network time (> ~60 s drift) Enable automatic time; resync; retry
13 Additional context (app/location) not shown; users deny real sign-ins Context setting off in Authenticator policy ... MicrosoftAuthenticator --query featureSettings Enable app-name + location context; target the group
14 “Set up strong auth” block on first sign-in (53004) CA requires strong auth before any method exists Sign-in logs 53004; CA tab Issue a TAP; allow the proof-up/registration path
15 Hardware OATH token “not recognised” Token secret not uploaded/activated in the tenant Authentication methods → OATH tokens list Upload the token CSV and activate it for the user

The full reasoning for each row lives in the matching Symptom section above; the table is the scannable centerpiece. Two entries hide a subtlety worth stating outright:

Best practices

Security notes

Notice these controls pull in the same direction: a phishing-resistant strength for admins, short-lived monitored TAPs, additional context on push, least-privilege reset roles, and registration-anomaly alerting each secure the tenant and prevent the very lockouts and confusion this article troubleshoots.

Cost & sizing

The “bill” here is mostly licensing, not consumption. Core MFA and the Authentication methods policy are free — number matching, passkeys, TAP and sign-in logs cost nothing, so every Symptom-1-through-4 fix is on the included tier. But Conditional Access requires Entra ID P1 (where authentication strengths and the MFA-registration policy live — Symptom 5), and Identity Protection (risk policies, registration-anomaly detection) requires P2; without P1 you fall back to legacy per-user MFA and Security Defaults, which can’t demand phishing-resistant MFA. Longer sign-in log retention means routing to a Log Analytics workspace at the usual per-GB ingestion cost. The cost drivers and what each buys you (INR-leaning, 1,000-seat org):

Cost driver What you pay for Rough figure What it enables / fixes Watch-out
Core MFA + methods policy Included with the directory ₹0 extra Number match, passkeys, TAP, sign-in logs Free tier can’t require auth-strengths
Entra ID P1 Per-user/month (often in M365 E3) ~₹500–550/user Conditional Access, auth-strengths, MFA-registration policy Needed for Symptom-5 fixes
Entra ID P2 Per-user/month (often in M365 E5) ~₹750–900/user Identity Protection, risk-based CA, registration-anomaly alerts Only some users may need P2
Log Analytics ingestion Per-GB sign-in/audit logs ~₹250–350/GB Long retention + KQL forensics Sample/scope to control spend
FIDO2 security keys (optional) Hardware per user ₹1,500–4,000/key one-off Phishing-resistant without a phone Device-bound Authenticator passkeys are free

The sizing rule: most users need P1 (CA + auth-strengths), only privileged and high-risk users strictly need P2, and device-bound passkeys in Authenticator give phishing-resistant MFA at zero hardware cost — buy security keys only where a phone won’t do.

Interview & exam questions

1. A user is stuck on “More information required” and can’t add any method. Where do you look first and what’s the likely cause? Open the sign-in logsConditional Access tab on the interrupted event; the likely cause is a CA policy blocking the Register security information action (e.g. requiring MFA to register MFA). Fix by issuing a TAP and re-scoping the policy so registration is reachable.

2. What’s the difference, in the logs, between a user who has no MFA method and one whose method just failed? No method triggers a registration interrupt50079/50072, marked “interrupted.” A failed method shows 500121 (challenge not completed) or 50074/50076 (MFA required, not satisfied) as an actual failure. Interrupt = register; failure = deliver/complete.

3. Since when is number matching mandatory, and what does it change for the user? Enforced for all Authenticator push since February 2023. The user can no longer tap Approve/Deny; the sign-in screen shows a two-digit number they must read and type into the app, and there is no toggle to disable it.

4. A user’s “Add passkey” is greyed out even though FIDO2 is enabled tenant-wide. Why? Most likely a key-restriction allow-list that omits the device’s AAGUID — commonly the Authenticator-app AAGUID never added to aaGuids. Confirm via keyRestrictions on the FIDO2 config; fix by adding the AAGUID or relaxing enforcement.

5. What is a Temporary Access Pass and which problem does it specifically solve? A time-limited passcode that itself satisfies MFA, solving the passwordless bootstrap chicken-and-egg: a new or reset user with no strong method uses it to sign in once and register a passkey. It needs Authentication Administrator and should be short-lived and monitored.

6. System-Preferred MFA is prompting a user for Authenticator when they expected SMS. Is that a bug, and how do you fix it? Not a bug — it prompts the strongest registered method, and Authenticator outranks SMS. If that registration is broken, repair or remove it so the working method is promoted; don’t disable System-Preferred globally (a security regression).

7. A Conditional Access sign-in fails with AADSTS530031. What does that specifically mean? A CA authentication strength required a stronger method than the user holds — typically phishing-resistant (passkey/FIDO2/WHfB) when they only have push or SMS. Fix by registering a qualifying method or correcting scope. (Generic 53003 is a non-specific block.)

8. Why might a method a user registered not count for MFA? Mid-migration, a method registered under the legacy SSPR policy may not count for MFA until the unified policy is fully in force (policyMigrationState = migrationComplete). Finish the migration to unify registration across MFA and SSPR.

9. A subset of users get prompted for MFA twice. What’s the classic cause? Legacy per-user MFA has the account Enforced and a CA policy also requires MFA — the engines stack. Set per-user MFA to Disabled and let Conditional Access be the single authority.

10. Which Entra licence tier do you need to require phishing-resistant MFA on an app, and what’s the non-obvious cause of TOTP codes always being rejected? You need Entra ID P1, because Conditional Access (where authentication strengths live) requires P1; without it you’re limited to Security Defaults / legacy per-user MFA, which can’t demand a phishing-resistant strength (P2 adds risk-based policies on top). Separately, TOTP codes that always fail are usually clock skew — the code is time-based, so a device clock off by more than the window makes every code “incorrect”; enable automatic date and time.

These map mainly to SC-300 and AZ-500 (with passwordless/FIDO2 in SC-900 at awareness level):

Question theme Primary cert Exam objective area
Authentication methods policy, number match, passkeys SC-300 Implement & manage authentication methods
TAP, passwordless onboarding SC-300 Plan & implement passwordless
Conditional Access, authentication strengths SC-300 / AZ-500 Implement Conditional Access
AADSTS codes, sign-in log troubleshooting SC-300 / AZ-500 Monitor & troubleshoot identity
Per-user MFA vs CA, migration SC-300 Manage MFA / migrate legacy settings
Identity Protection, risk policies (P2) AZ-500 Implement Identity Protection

Quick check

  1. A user is stuck on “More information required” and there’s no way to add a method. What single report/tab tells you whether a Conditional Access policy is blocking registration, and what’s the usual fix?
  2. True or false: you can disable number matching tenant-wide if it’s confusing your users.
  3. “Add passkey” is greyed out for a user even though FIDO2 is enabled for everyone. Name the most likely cause and where to confirm it.
  4. A brand-new user can’t sign in strongly enough to register their first passkey. What do you issue, and which role do you need to issue it?
  5. AADSTS 530031 appears on a blocked sign-in. What does it specifically tell you, versus a plain 53003?

Answers

  1. The sign-in logs → open the interrupted event → Conditional Access tab; a policy in Failure against the Register security information action is the blocker. The usual fix is to issue a Temporary Access Pass and re-scope the policy so the registration action is reachable (test it report-only first).
  2. False. Number matching has been enforced for all Authenticator push since February 2023 and cannot be turned off. “Push broken” after that date is usually the user not reading and typing the two-digit number from the sign-in screen.
  3. A key-restriction allow-list (AAGUID enforcement) that doesn’t include the device’s AAGUID — classically the Authenticator-app AAGUID omitted when enabling passkeys-in-Authenticator. Confirm via keyRestrictions on the FIDO2 method config (az rest GET .../Fido2).
  4. Issue a Temporary Access Pass (TAP) — a time-limited passcode that satisfies MFA so the user can sign in once and register a passkey. You need Authentication Administrator (or higher) to issue it.
  5. 530031 specifically means a Conditional Access authentication strength required a stronger method (typically phishing-resistant: passkey/FIDO2/WHfB) than the user holds. A plain 53003 is a generic Conditional Access block with no implication about method strength.

Glossary

Next steps

You can now localise any “I can’t log in” MFA report to a specific gate and fix it. Build outward:

Entra IDMFAPasswordlessAuthentication MethodsNumber MatchingConditional AccessTroubleshootingAADSTS
Need this built for real?

Vinod is a Senior Cloud Architect (22+ yrs) — available for Azure / AWS / GCP architecture, landing zones, and migrations.

Work with me

Comments

Keep Reading