How to Fix Conditional Access blocked because Multi-Factor Authentication is required

What this error means

Conditional Access decided the user needs to perform MFA, and either the user hasn't registered MFA methods or the prompt failed.

Why this happens

User hasn't done MFA proof-up, the device can't reach the MFA endpoint, or a MFA method (e.g. Authenticator) isn't responding.

Quick fix (for end users)

• Have the user register MFA at https://aka.ms/mfasetup.
• Confirm their phone has internet and the Authenticator app is signed in.

Admin / engineer fix

• If the user can't reach MFA setup (chicken-and-egg), issue a temporary access pass.

  commandCopy

  New-MgUserAuthenticationTemporaryAccessPassMethod -UserId <upn> -BodyParameter @{ isUsableOnce = $true; lifetimeInMinutes = 60 }

• Check Sign-in logs in Entra → look at the Conditional Access tab to see exactly which policy applied.

Step-by-step fix

1. 1

   Have the user register MFA methods.

2. 2

   If they can't, issue a TAP to bootstrap registration.

3. 3

   Retry sign-in.

Common variations of this error

People also see these phrasings of the same problem:

• MFA required by policy
• AADSTS50076: due to a configuration change

Still broken? Try these

• Confirm the user is in scope of the right Conditional Access policy.
• Check whether named locations or trusted IP ranges are bypassed unexpectedly.
• If using number matching, ensure the device clock is synced.

Related errors

• Entra ID
  AADSTS50079: Due to a configuration change, the user is required to use multi-factor authentication
• Entra ID
  AADSTS53003: Access has been blocked by Conditional Access policies

Related searches

• entra mfa register
• temporary access pass entra

Frequently asked questions