The short version: an MFA reset is not “click reset and move on.” Verify the user, confirm what changed, remove only the broken method, enroll a safe replacement, test sign-in, and document the exact result. MFA exists because passwords fail. Treat resets like security work, not password-reset busywork with extra buttons.

This checklist is for help desk techs handling everyday tickets: new phone, lost phone, deleted authenticator app, missing push prompt, login loop, or executive traveling while the old device is three states away.

The goal is simple: get the real user in, keep the attacker out, and leave notes the next tech can trust.

When to use this checklist

Use this flow when the ticket involves MFA, two-factor authentication, an authenticator app, SMS codes, security keys, Microsoft Authenticator, Duo, Okta Verify, Google Authenticator, or any other second factor.

Common user phrasing:

  • “I got a new phone and cannot log in.”
  • “The authenticator app is asking me to set up again.”
  • “I approved the prompt but it still fails.”
  • “I am not getting the MFA code.”
  • “I lost my phone.”
  • “It says I need admin approval.”
  • “I am locked out of email/VPN/Teams.”

Do not assume all of those are the same problem. A missing push notification, a deleted app, a blocked conditional access policy, and a stolen phone are different tickets.

SymptomLikely laneFirst move
User got a new phone and still has the old phoneNormal resetVerify identity, add new method, remove old method
User deleted authenticator app but still has the phoneNormal resetVerify identity, re-enroll app
User lost phone in public placeSecurity-sensitive resetVerify identity, remove lost method, consider device wipe/escalation
User says they received random MFA promptsPossible attackDo not just reset; escalate and check sign-in activity
User cannot pass MFA from a new country or devicePolicy/sign-in issueCheck sign-in logs and conditional access result
User asks to bypass MFA urgentlyHigh-risk requestFollow policy, get approval, document everything

If the user reports unexpected MFA prompts, repeated failed logins, or a phone that may be stolen, pause the normal reset script. This may be credential compromise, not “MFA being annoying.”

Related guide: Security+ access control practice questions covers the same idea from the exam side: identity controls matter because access mistakes get expensive fast.

The MFA reset checklist

1. Confirm the exact app and service

Start by finding the actual failure point.

Ask:

  • What are you trying to sign into: Windows, VPN, email, Teams, payroll, or something else?
  • Are you using Microsoft Authenticator, Duo, Okta Verify, SMS, a hardware key, or another method?
  • Did anything change recently: new phone, phone number, password, device replacement, travel, role change, or license change?
  • Do you still have access to any enrolled method?
  • What exact error message do you see?

This keeps you from resetting MFA when the real issue is a locked account, expired password, missing license, device compliance failure, or VPN client problem.

If the user can sign into Microsoft 365 in a browser but not VPN, use the VPN troubleshooting checklist before blaming MFA. If email is the only broken app, use the email troubleshooting checklist.

2. Verify identity before changing MFA

MFA reset requests are attractive to attackers because they can turn “I know the password” into “I own the account.” Do not reset based only on a friendly Slack message.

Use your company procedure. If there is no procedure, that is a problem worth raising, but you still need a sane minimum.

Reasonable verification options:

  • Call the user at the number already listed in HR or the directory, not the number provided in the ticket.
  • Video call with badge or face verification if your company allows it.
  • Manager confirmation through an established internal channel.
  • In-person verification for local staff.
  • Help desk challenge process approved by security.

Avoid weak verification:

  • “They knew their employee ID.”
  • “The request came from their email.”
  • “Their manager sounded busy, so I skipped it.”
  • “They seemed annoyed, therefore probably legit.”

Annoyed users are normal. Attackers pretending to be annoyed are also normal. Follow the process anyway.

3. Check account status and sign-in clues

Before removing anything, check whether the account itself is healthy.

Look for:

  • Account disabled or locked.
  • Recent password change.
  • Risky sign-in flags if your identity platform shows them.
  • Failed sign-ins from unfamiliar locations or devices.
  • Conditional access or device compliance failures.
  • MFA method already changed recently.
  • Multiple reset requests in a short window.

This is where the ticket can fork.

If the user simply replaced their phone and sign-in history looks normal, continue the reset.

If you see strange failed logins, impossible travel, repeated prompts the user did not initiate, or method changes the user does not recognize, escalate to security or your senior admin before “fixing” the ticket. The account may already be under attack.

For Active Directory-heavy environments, tie this back to your normal identity checks. The Active Directory basics guide is a useful refresher if you are still learning where accounts, groups, and lockouts fit.

4. Remove only the broken or risky method

Do not nuke every method unless policy says to. Remove the method that is broken, lost, or suspicious.

Examples:

  • New phone, old phone still available: add the new authenticator first if possible, test it, then remove the old device.
  • Lost phone: remove the lost phone method before enrolling anything new.
  • Changed phone number: update the number only after identity verification.
  • Deleted app registration: require re-registration for the authenticator app.
  • Suspicious prompts: remove risky methods and escalate for password reset/session revoke per policy.

The safer pattern is: remove the risky thing, enroll the new thing, test the new thing, document both.

5. Enroll the replacement method with the user present

Do not send a vague “try it now” message and hope for the best. Walk through the enrollment until the user successfully completes a sign-in.

For an authenticator app reset:

  1. Tell the user which app to install or open.
  2. Start the re-registration flow in the identity portal.
  3. Have the user scan the QR code or approve the enrollment prompt.
  4. Confirm the method appears on the account.
  5. Have the user sign out and sign back into the affected app.
  6. Confirm they can complete MFA without help.

If your environment supports multiple methods, encourage a backup method that matches policy. That might be a second authenticator-capable device, a hardware key, or another approved method. Do not improvise insecure backups just because they are convenient.

6. Revoke sessions when the situation calls for it

A normal new-phone swap may not need session revocation. A lost device, suspicious MFA prompts, unknown sign-in activity, or confirmed password compromise probably does.

Depending on your tools and permissions, the senior admin or security team may need to:

  • Revoke active sessions.
  • Force password reset.
  • Require MFA re-registration.
  • Disable the account temporarily.
  • Remove trusted devices.
  • Review recent mailbox rules or forwarding.
  • Check VPN and cloud app sign-ins.

If you are Tier 1 and do not have those buttons, that is fine. Your job is to recognize when the ticket moved beyond Tier 1 and escalate with clean notes.

7. Test the actual app the user needed

Do not stop at “MFA setup complete.” Test the thing that caused the ticket.

Examples:

  • If the issue started with Outlook, confirm Outlook or webmail works.
  • If the issue started with VPN, confirm VPN connects and internal resources load.
  • If the issue started with Teams, confirm Teams signs in and messages load.
  • If the issue started with a password manager or admin portal, confirm the exact portal works.

This matters because MFA may be only one layer. The user might pass MFA and still be blocked by device compliance, stale tokens, cached credentials, license assignment, group membership, or app-specific policy.

Copyable ticket notes for MFA resets

Use these as starting points. Replace tool names and policy details with your environment.

New phone, normal reset

User reported inability to complete MFA after replacing phone. Verified identity per help desk procedure using directory phone number. User still had old device available. Added Microsoft Authenticator on new phone, confirmed successful test prompt, removed old phone method, and verified user could sign into Microsoft 365 and Teams. No suspicious sign-in activity observed during review. Closing ticket.

Lost phone

User reported lost phone containing MFA app. Verified identity per procedure and confirmed phone is no longer in user’s possession. Removed lost device MFA method from account and escalated device-loss portion to endpoint/security queue per policy. Enrolled replacement authenticator method on new device and verified successful Microsoft 365 sign-in. User advised to report any unexpected prompts immediately.

Suspicious MFA prompts

User reported receiving MFA prompts they did not initiate. Did not perform standard reset only. Verified identity, reviewed recent sign-in activity, and found repeated failed attempts from unfamiliar source. Escalated to security queue, forced password reset/re-registration per approved procedure, and documented timestamps/screenshots. User confirmed no further unexpected prompts after remediation.

MFA works in browser but VPN still fails

User can complete MFA and sign into Microsoft 365 successfully. VPN still fails after authentication. Confirmed account not locked, MFA prompt completes, and issue occurs on home Wi-Fi and mobile hotspot. Collected VPN client version, screenshot, public IP, and timestamp. Escalating to network team to review VPN gateway logs.

For more examples like this, see help desk ticket notes that don’t stink.

Common mistakes to avoid

Resetting MFA without verifying the user

This is the big one. If an attacker has a password and convinces help desk to reset MFA, the account is basically theirs. Be polite, but be boringly strict.

Removing every method for no reason

Blanket removal can lock the user out harder and create extra risk. Remove what is broken or suspicious, then enroll the replacement cleanly.

Ignoring “random prompts”

Random MFA prompts are not a minor annoyance. They can mean someone has the password and is trying to push-bomb the user into approving. Escalate.

Forgetting mobile apps and cached sessions

A user may pass MFA in the browser but still fail in Outlook, Teams, VPN, or a phone mail app because old tokens or cached credentials are hanging around. Test the real app.

Writing useless notes

“Reset MFA” is not enough. Document identity verification, method changed, app tested, sign-in result, and escalation if any.

Quick MFA reset runbook

Use this when you need the compressed version:

  1. Capture exact app, error, MFA method, and recent changes.
  2. Decide whether it is normal reset or possible security incident.
  3. Verify identity using approved procedure.
  4. Check account status and recent sign-in clues.
  5. Remove the broken/lost/suspicious method.
  6. Enroll the replacement method with the user present.
  7. Test sign-in to the affected app.
  8. Revoke sessions/escalate if suspicious or policy requires it.
  9. Document the verification, change, result, and next step.

FAQ

Should help desk reset MFA over chat?

Only if your company has an approved identity verification process that works over chat. A message from a logged-in account is not enough by itself. If that account is already compromised, the attacker is the one chatting with you.

What if the user is an executive and wants it fixed now?

Executives are high-value targets, not exceptions to security. Move quickly, but do the verification. If your process requires manager or security approval for risky resets, get it and note it.

Is an MFA reset the same as a password reset?

No. A password reset changes something the user knows. An MFA reset changes something the user has or uses to prove identity. Treat it with at least as much care as a password reset, usually more.

Final thought

MFA reset tickets are routine until they are not. Most are honest users with new phones. Some are attackers trying to turn help desk into the weakest link. The checklist is how you help the first group without helping the second.