This FAQ answers common questions about Microsoft Entra multifactor authentication and using the multifactor authentication service. It's broken down into questions about the service in general, billing models, user experiences, and troubleshooting.
In the United States, we use the following short codes:
- 97671
- 69829
- 51789
- 99399
In Canada, we use the following short codes:
- 759731
- 673801
There's no guarantee of consistent text message or voice-based multifactor authentication prompt delivery by the same number. In the interest of our users, we may add or remove short codes at any time as we make route adjustments to improve text message deliverability.
We don't support short codes for countries or regions besides the United States and Canada.
Yes, in certain cases that typically involve repeated authentication requests in a short time window, Microsoft Entra multifactor authentication throttles user sign-in attempts to protect telecommunication networks, mitigate MFA fatigue-style attacks and protect its own systems for the benefit of all customers.
Although we don't share specific throttling limits, they're based around reasonable usage.
Is my organization charged for sending the phone calls and text messages that are used for authentication?
No, you're not charged for individual phone calls placed or text messages sent to users through Microsoft Entra multifactor authentication. If you use a per-authentication MFA provider, you're billed for each authentication, but not for the method used.
Your users might be charged for the phone calls or text messages they receive, according to their personal phone service.
Does the per-user billing model charge me for all enabled users, or just the ones that performed two-step verification?
Billing is based on the number of users configured to use multifactor authentication, regardless of whether they performed two-step verification that month.
Security defaults can be enabled in the Microsoft Entra ID Free tier. With security defaults, all users are enabled for multifactor authentication using the Microsoft Authenticator app. There's no ability to use text message or phone verification with security defaults, just the Microsoft Authenticator app.
For more information, see What are security defaults?
Does my organization have to use and synchronize identities to use Microsoft Entra multifactor authentication?
If your organization uses a consumption-based billing model, Microsoft Entra ID is optional, but not required.
Microsoft Entra ID is required for the license model because licenses are added to the Microsoft Entra tenant when you purchase and assign them to users in the directory.
Have your users attempt up to five times in 5 minutes to get a phone call or text message for authentication. Microsoft uses multiple providers for delivering calls and text messages. If this approach doesn't work, open a support case to troubleshoot further.
Third-party security apps may also block the verification code text message or phone call. If using a third-party security app, try disabling the protection, then request another MFA verification code be sent.
If the prior steps don't work, check if users are configured for more than one verification method. Try signing in again, but select a different verification method on the sign-in page.
For more information, see the end-user troubleshooting guide.
You can reset the user's account by making them to go through the registration process again. Learn more about managing user and device settings with Microsoft Entra multifactor authentication in the cloud.
To prevent unauthorized access, delete all the user's app passwords. After the user has a replacement device, they can recreate the passwords. Learn more about managing user and device settings with Microsoft Entra multifactor authentication in the cloud.
Delivery of text messages isn't guaranteed because uncontrollable factors might affect the reliability of the service. These factors include the destination country or region, the mobile phone carrier, and the signal strength.
Third-party security apps may also block the verification code text message or phone call. If using a third-party security app, try disabling the protection, then request another MFA verification code be sent.
If your users often have problems with reliably receiving text messages, tell them to use the Microsoft Authenticator app or phone call method instead. The Microsoft Authenticator can receive notifications both over cellular and Wi-Fi connections. In addition, the mobile app can generate verification codes even when the device has no signal at all. The Microsoft Authenticator app is available for Android, iOS, and Windows Phone.
Can I change the amount of time my users have to enter the verification code from a text message before the system times out?
For one-way SMS with Microsoft Entra multifactor authentication in the cloud (including the AD FS adapter or the Network Policy Server extension), you can't configure the timeout setting. Microsoft Entra ID stores the verification code for 180 seconds.
There are several reasons that users could be prompted to register their security information:
- The user has been enabled for MFA by their administrator in Microsoft Entra ID, but doesn't have security information registered for their account yet.
- The user has been enabled for self-service password reset in Microsoft Entra ID. The security information will help them reset their password in the future if they ever forget it.
- The user accessed an application that has a Conditional Access policy to require MFA and hasn't previously registered for MFA.
- The user is registering a device with Microsoft Entra ID (including Microsoft Entra join), and your organization requires MFA for device registration, but the user hasn't previously registered for MFA.
- The user is generating Windows Hello for Business in Windows 10 (which requires MFA) and hasn't previously registered for MFA.
- The organization has created and enabled an MFA Registration policy that has been applied to the user.
- The user previously registered for MFA, but chose a verification method that an administrator has since disabled. The user must therefore go through MFA registration again to select a new default verification method.
What should users do if they see an "Authentication request isn't for an activated account" error message when using mobile app notifications?
Ask the user to complete the following procedure to remove their account from the Microsoft Authenticator, then add it again:
- Go to their account profile and sign in with an organizational account.
- Select Additional Security Verification.
- Remove the existing account from the Microsoft Authenticator app.
- Select Configure, and then follow the instructions to reconfigure the Microsoft Authenticator.
What should users do if they see a 0x800434D4L error message when signing in to a nonbrowser application?
The 0x800434D4L error occurs when you try to sign in to a nonbrowser application, installed on a local computer, that doesn't work with accounts that require two-step verification.
A workaround for this error is to have separate user accounts for admin-related and nonadmin operations. Later, you can link mailboxes between your admin account and nonadmin account so that you can sign in to Outlook by using your nonadmin account. For more details about this solution, learn how to give an administrator the ability to open and view the contents of a user's mailbox.
If your question isn't answered here, the following support options are available:
- Search the Microsoft Support Knowledge Base for solutions to common technical issues.
- Search for and browse technical questions and answers from the community, or ask your own question in the Microsoft Entra Q&A.