MFA Reset.

MirrorSphere · Knowledge Base

KB Article 768 · Account Management · Self Service

Need to get a colleague back into their Microsoft 365 account because they’ve lost access to multi-factor authentication (MFA)? This guide walks you through how to raise an MFA reset through the MirrorSphere support portal, what to expect, and what the user needs to do once it’s done.

What is MFA? Multi-factor authentication is the extra security step after entering a password — usually a code from the Microsoft Authenticator app, a text message, or a phone call. Resetting MFA clears the existing methods so the user can register a new one.

Who is this for? Anyone raising an MFA reset on behalf of someone else — usually a manager, team lead, or IT contact helping a colleague who has lost access to their authentication method.

Audience

Requestor

Process Time

~10 mins

Last Reviewed

May 2026

How it Works at a Glance

The MFA reset is automated — once approved, all of the user’s existing MFA methods are cleared and they’re prompted to register a new one the next time they sign in.

You submit

Portal form sent

Approver reviews

Email with one click

MFA cleared

Automatically

User re-registers

On next sign-in

Approval received from your nominated approver, usually within minutes
All existing MFA methods cleared automatically — no agent involvement
You’re notified by email so you can let the user know to sign in
User re-registers MFA at their next sign-in to Microsoft 365

How to Raise the Request

Step 1 — Raise the request

Sign in to the MirrorSphere support portal and choose MFA Reset from the request menu (or use the direct link your IT team has provided).

Fill in the form:

User — from the user lookup, select the colleague who needs their MFA reset
Justification — a short note explaining why, for example “User has a new phone and can no longer access the Authenticator app”

Once you submit the form, you’ll get a confirmation email letting you know the request is awaiting approval.

Request confirmation email — Confirmation email you’ll receive after submitting the request

Step 2 — Wait for approval

An approver (usually a manager or senior team member) will receive an email asking them to approve or reject your request. You don’t need to do anything at this stage — just wait for the next notification.

If the approver hasn’t responded after a while, a reminder is automatically sent on your behalf. If it’s urgent, you can also follow up with them directly.

Step 3 — Check the outcome

You’ll receive an email letting you know what happened:

Complete — the MFA reset has already been done. Carry on to Step 4.
Rejected — the request was declined. The email will explain why. If you think this is a mistake, contact your IT team directly.

MFA reset complete confirmation email — The “MFA reset complete” confirmation email

No password link needed. Unlike a password reset, MFA resets don’t generate a one-time link — the reset happens automatically the moment it’s approved. The user just needs to sign in.

Step 4 — Let the user know

Get in touch with the affected user (in person, by phone, or by Teams) and let them know:

Their MFA has been reset
They should sign in to login.microsoftonline.com as normal
After entering their password, they’ll be prompted to set up a new MFA method — usually by installing or reconfiguring the Microsoft Authenticator app
They should have their phone or authenticator device ready before signing in

Don’t delay — the account is temporarily less secure. Until the user signs in and registers a new MFA method, their account relies on the password alone. Let them know as soon as possible.

Emails You Might Receive

Depending on how the request progresses, you may receive any of the following emails. The table below summarises the journey from submission to completion.

Email	When	What it means
Pending Request Received	Immediately after you submit	Your request is in the queue for approval
Reminder Approval Pending	If review is taking longer than expected	A reminder has been sent to the approver on your behalf
Complete MFA Reset Done	Once the approver approves and the reset completes	The user’s MFA has been cleared — tell them to sign in and register a new method
Declined Request Declined	If the approver rejects	The reason will be in the email — speak to IT if you disagree

Preview of each email

Request Received

Sent immediately when you submit. Confirms your request has been logged and is waiting for the approver to review.

MFA Reset Done Most Important

Sent once the approver approves and the reset completes automatically. This is your cue to let the user know their MFA has been cleared and they should sign in to register a new method.

What the User Needs to Do

Once you’ve let the user know, here’s what they should do:

Install the Microsoft Authenticator app on their phone from the App Store or Google Play (if they don’t have it already)
Sign in to login.microsoftonline.com with their email and password
Follow the on-screen steps to register the Authenticator app (or another approved method)
Once registered, they can sign in with MFA as normal

Add a backup method: After re-registering, the user can add a backup option (like a phone number for SMS or call verification) at mysignins.microsoft.com/security-info. This reduces the chance of being locked out again in future.

On a shared or kiosk device? Advise the user not to tick “Don’t ask again on this device” during sign-in — that leaves an authentication token on a device others might use.

Important to Know

All MFA methods are cleared. Authenticator app, phone calls, text codes — everything registered against the account is removed. The user will need to set up at least one new method when they next sign in.

The password is not affected. An MFA reset doesn’t change the user’s password. If they’ve also forgotten their password, raise a separate password reset request.

You won’t see the user’s MFA setup. The reset just clears the methods — the user has to be the one to register a new one. We can’t do it on their behalf.

If Something Goes Wrong

Most MFA resets go through cleanly, but a few common scenarios are worth knowing about. Here’s how to handle them.

Scenario A

The request was declined

The approver’s reason will be included in the declined email. If you think this is a mistake, contact your IT team directly — don’t simply raise the same request again as it will likely be declined for the same reason.

Scenario B

The approver isn’t responding

A reminder is sent to the approver automatically if the request sits unactioned for too long. If it’s urgent, follow up with the approver directly, or call IT support on +44 (0) 1295 595 444 to arrange an alternative approver.

Scenario C

The user signs in but isn’t prompted for MFA

This usually means the device has a cached sign-in token. Ask them to sign out fully and sign back in — they should be prompted to set up MFA again. They can also go straight to mysignins.microsoft.com/security-info to add a method.

Scenario D

The user is also locked out of their password

Raise both a password reset and an MFA reset request through the portal. The password reset will give you a one-time link to share, and the MFA reset will clear their authentication methods. Both are independent processes.

Frequently Asked Questions

How long does the MFA reset take?

Usually just a few minutes after approval. The reset itself is automated, so once the approver clicks “Approve” it happens almost immediately.

The user got a new phone — can they just transfer the Authenticator app?

If they still have access to their old phone, the Microsoft Authenticator app has a built-in backup and transfer feature — this is usually quicker than a full MFA reset. If they no longer have the old phone, an MFA reset is the right path.

The user has signed in but wasn’t prompted to set up MFA.

The user can still sign in — they just want a different MFA method.

If they can sign in with MFA already, they don’t need a reset. They can manage their authentication methods themselves at mysignins.microsoft.com/security-info.

The user is also locked out of their password.

Raise both a password reset and an MFA reset request through the portal. The password reset will give you a one-time link to share, and the MFA reset will clear their authentication methods.

Can the user reset their own MFA?

Not through this form — if they’re locked out of MFA they usually can’t sign in to the portal to raise the request themselves. That’s why MFA resets are raised by a colleague on their behalf.

Need More Help?

If this guide hasn’t resolved your issue, you have a few ways to reach us.

Self-service portal	Raise a ticket via portal.mirrorsphere.com — the fastest route for non-urgent issues.
Phone support	+44 (0) 1295 595 444, Monday–Friday 08:30–17:30. For urgent issues outside these hours, leave a voicemail — the on-call team monitors it.
Urgent / locked out user	Call the support line above and quote “MFA lockout” so we route you to the right tech first.
Escalation	If the response time isn’t meeting your need, ask the agent to escalate to your account manager or your organisation’s Head of IT.

Need urgent help?

If a colleague is locked out and the request can’t wait, skip the portal and call our support line.

+44 (0) 1295 595 444

KB 768 · Account Management · If you can’t find what you need here, raise a ticket via the support portal and we’ll help.