MFA Prompt Loop in Microsoft 365 — How to Fix

Fix the MFA prompt loop where Microsoft 365 keeps asking for multi-factor authentication repeatedly without granting access. Covers token issues, Conditional Access conflicts, and browser problems.

6 min readUpdated March 29, 2026

Overview

The MFA prompt loop is one of the most frustrating Microsoft 365 issues: you enter your password, complete MFA, and then get sent straight back to the MFA prompt — endlessly. This can affect Outlook, Teams, SharePoint, or any Microsoft 365 app.

This is almost always caused by one of five things: stale tokens, browser state, Conditional Access conflicts, device compliance failures, or a misconfigured MFA registration.

Fix 1: Clear Browser State (Most Common)

Stale cookies and cached tokens are the #1 cause.

For Edge / Chrome

Press Ctrl + Shift + Delete
Set time range to All time
Check: Cookies and other site data, Cached images and files
Click Clear data
Close and reopen the browser
Sign in again

For a faster targeted clear

Clear only Microsoft-related cookies:

Go to edge://settings/siteData (Edge) or chrome://settings/cookies/all (Chrome)
Search for microsoft and live.com
Delete all matching entries
Restart the browser

Try InPrivate / Incognito

Open an InPrivate window (Ctrl + Shift + N in Edge) and try signing in. If it works in InPrivate but not in a normal window, the problem is definitely cached browser state.

Fix 2: Revoke User Sessions

If the user's authentication tokens are corrupted or stuck in a bad state, revoke all sessions to force a clean re-authentication.

From the admin portal

Go to entra.microsoft.com > Users > find the user
Click Revoke sessions
Ask the user to close all apps and sign in again

From PowerShell

powershell

Connect-MgGraph -Scopes "User.ReadWrite.All"
Revoke-MgUserSignInSession -UserId "[email protected]"

The user will need to re-authenticate on all devices after this.

Fix 3: Check Conditional Access Policies

Conflicting Conditional Access policies are a common cause of MFA loops. The loop happens when one policy grants access after MFA, but another policy blocks the session, triggering a new sign-in that asks for MFA again.

Go to entra.microsoft.com > Monitoring > Sign-in logs
Find the affected user's recent sign-in attempts
Click a sign-in entry > Conditional Access tab
Look for policies showing Failure — these are causing the block

Diagnose with the What-If tool

Go to entra.microsoft.com > Protection > Conditional Access > What If
Select the affected user and the application they are trying to access
Review which policies would apply and whether any conflict

Common conflicts

Policy A	Policy B	Result
Require MFA	Require compliant device (device not compliant)	MFA loop — MFA passes but compliance blocks, triggering re-auth
Require MFA from all locations	Block access from untrusted locations	Loop if the user's location is classified as untrusted
Require MFA for all apps	Exclude a specific app	Loop if the app was incorrectly identified

Tip

The most common conflict is a device compliance policy blocking access after MFA succeeds. Check if the user's device is marked as compliant in Intune (intune.microsoft.com > Devices > search for the device).

Fix 4: Re-register MFA Methods

If the user's MFA registration is corrupt or their Authenticator app is out of sync:

Have the user re-register

Go to mysignins.microsoft.com/security-info
Delete the existing Authenticator entry
Click Add sign-in method > Authenticator app
Set up the Authenticator app fresh with a new QR code scan

Admin-initiated reset

If the user cannot access the portal:

powershell

# Remove all authentication methods for the user
# Then have them re-register at next sign-in
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"

# List current methods
Get-MgUserAuthenticationMethod -UserId "[email protected]"

# Delete a specific method (e.g., phone)
Remove-MgUserAuthenticationPhoneMethod -UserId "[email protected]" -PhoneAuthenticationMethodId "<method-id>"

Or from the admin portal:

Go to entra.microsoft.com > Users > find the user
Click Authentication methods
Click Require re-register MFA

Fix 5: Check for Token Lifetime Issues

If the user is on a managed device and the MFA loop happens specifically in desktop apps (Outlook, Teams):

Clear Office credential cache

Close all Office apps
Open Credential Manager (search in Start)
Under Windows Credentials and Generic Credentials, remove all entries containing:
- MicrosoftOffice16
- msteams
- login.microsoftonline.com
Reopen the Office app and sign in again

Clear Teams-specific cache

Close Teams completely (check system tray)
Press Win + R, type %appdata%\Microsoft\Teams
Delete the contents of the folder
Restart Teams

Clear the WAM token broker

The Web Account Manager (WAM) handles authentication for Office apps on Windows:

powershell

# Run in an elevated PowerShell
dsregcmd /forcerecovery

Then restart the machine and sign in again.

Fix 6: Check for Hybrid Join Issues

If the device is Microsoft Entra hybrid joined and the MFA loop only happens on this specific device:

powershell

# Check device registration status
dsregcmd /status

Look for:

AzureAdJoined: YES
DomainJoined: YES (for hybrid)
DeviceAuthStatus: SUCCESS

If any of these are wrong:

powershell

# Leave and rejoin
dsregcmd /leave
# Restart the device
# It will automatically rejoin via Group Policy

Diagnostic Flowchart

Symptom	First Step
Loop in browser only	Clear cookies and cache (Fix 1)
Loop in all apps and browsers	Revoke sessions (Fix 2)
Loop on one device, works on others	Clear credential cache (Fix 5) or check device registration (Fix 6)
Loop for one user, others are fine	Re-register MFA (Fix 4) or check CA policies for that user (Fix 3)
Loop for all users	Check Conditional Access for a recent policy change (Fix 3)

When to Escalate

Open a support case via admin.microsoft.com > Support > New service request if:

The MFA loop persists after trying all fixes above
Sign-in logs show no Conditional Access failures but the loop continues
The issue started after a Microsoft service update (may be a platform-side issue)
The user's account shows unusual sign-in activity suggesting compromise

MFAMicrosoft 365TroubleshootingMicrosoft Entra IDConditional Access

GuidesHow to Set Up MFA for Microsoft 365 (Step-by-Step)A complete guide to enabling multi-factor authentication for every user in your Microsoft 365 tenant using Conditional Access, Microsoft Authenticator, and passkeys.Read GuidesSetting Up Conditional Access Policies in Microsoft Entra IDA practical guide to creating Conditional Access policies in Microsoft Entra ID to enforce MFA, block risky sign-ins, and require compliant devices for Microsoft 365 access.Read SecurityIncident Response Checklist for a Compromised Office 365 AccountA step-by-step incident response checklist for when a Microsoft 365 account is compromised. Covers containment, investigation, remediation, and prevention.Read

Was this article helpful?

Troubleshooting

MFA Prompt Loop in Microsoft 365 — How to Fix

Fix the MFA prompt loop where Microsoft 365 keeps asking for multi-factor authentication repeatedly without granting access. Covers token issues, Conditional Access conflicts, and browser problems.

6 min readUpdated March 29, 2026

Overview

This is almost always caused by one of five things: stale tokens, browser state, Conditional Access conflicts, device compliance failures, or a misconfigured MFA registration.

Fix 1: Clear Browser State (Most Common)

Stale cookies and cached tokens are the #1 cause.

For Edge / Chrome

Press Ctrl + Shift + Delete
Set time range to All time
Check: Cookies and other site data, Cached images and files
Click Clear data
Close and reopen the browser
Sign in again

For a faster targeted clear

Clear only Microsoft-related cookies:

Go to edge://settings/siteData (Edge) or chrome://settings/cookies/all (Chrome)
Search for microsoft and live.com
Delete all matching entries
Restart the browser

Try InPrivate / Incognito

Open an InPrivate window (Ctrl + Shift + N in Edge) and try signing in. If it works in InPrivate but not in a normal window, the problem is definitely cached browser state.

Fix 2: Revoke User Sessions

If the user's authentication tokens are corrupted or stuck in a bad state, revoke all sessions to force a clean re-authentication.

From the admin portal

Go to entra.microsoft.com > Users > find the user
Click Revoke sessions
Ask the user to close all apps and sign in again

From PowerShell

powershell

Connect-MgGraph -Scopes "User.ReadWrite.All"
Revoke-MgUserSignInSession -UserId "[email protected]"

The user will need to re-authenticate on all devices after this.

Fix 3: Check Conditional Access Policies

Go to entra.microsoft.com > Monitoring > Sign-in logs
Find the affected user's recent sign-in attempts
Click a sign-in entry > Conditional Access tab
Look for policies showing Failure — these are causing the block

Diagnose with the What-If tool

Go to entra.microsoft.com > Protection > Conditional Access > What If
Select the affected user and the application they are trying to access
Review which policies would apply and whether any conflict

Common conflicts

Policy A	Policy B	Result
Require MFA	Require compliant device (device not compliant)	MFA loop — MFA passes but compliance blocks, triggering re-auth
Require MFA from all locations	Block access from untrusted locations	Loop if the user's location is classified as untrusted
Require MFA for all apps	Exclude a specific app	Loop if the app was incorrectly identified

Tip

Fix 4: Re-register MFA Methods

If the user's MFA registration is corrupt or their Authenticator app is out of sync:

Have the user re-register

Go to mysignins.microsoft.com/security-info
Delete the existing Authenticator entry
Click Add sign-in method > Authenticator app
Set up the Authenticator app fresh with a new QR code scan

Admin-initiated reset

If the user cannot access the portal:

powershell

# Remove all authentication methods for the user
# Then have them re-register at next sign-in
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"

# List current methods
Get-MgUserAuthenticationMethod -UserId "[email protected]"

# Delete a specific method (e.g., phone)
Remove-MgUserAuthenticationPhoneMethod -UserId "[email protected]" -PhoneAuthenticationMethodId "<method-id>"

Or from the admin portal:

Go to entra.microsoft.com > Users > find the user
Click Authentication methods
Click Require re-register MFA

Fix 5: Check for Token Lifetime Issues

If the user is on a managed device and the MFA loop happens specifically in desktop apps (Outlook, Teams):

Clear Office credential cache

Close all Office apps
Open Credential Manager (search in Start)
Under Windows Credentials and Generic Credentials, remove all entries containing:
- MicrosoftOffice16
- msteams
- login.microsoftonline.com
Reopen the Office app and sign in again

Clear Teams-specific cache

Close Teams completely (check system tray)
Press Win + R, type %appdata%\Microsoft\Teams
Delete the contents of the folder
Restart Teams

Clear the WAM token broker

The Web Account Manager (WAM) handles authentication for Office apps on Windows:

powershell

# Run in an elevated PowerShell
dsregcmd /forcerecovery

Then restart the machine and sign in again.

Fix 6: Check for Hybrid Join Issues

If the device is Microsoft Entra hybrid joined and the MFA loop only happens on this specific device:

powershell

# Check device registration status
dsregcmd /status

Look for:

AzureAdJoined: YES
DomainJoined: YES (for hybrid)
DeviceAuthStatus: SUCCESS

If any of these are wrong:

powershell

# Leave and rejoin
dsregcmd /leave
# Restart the device
# It will automatically rejoin via Group Policy

Diagnostic Flowchart

Symptom	First Step
Loop in browser only	Clear cookies and cache (Fix 1)
Loop in all apps and browsers	Revoke sessions (Fix 2)
Loop on one device, works on others	Clear credential cache (Fix 5) or check device registration (Fix 6)
Loop for one user, others are fine	Re-register MFA (Fix 4) or check CA policies for that user (Fix 3)
Loop for all users	Check Conditional Access for a recent policy change (Fix 3)

When to Escalate

Open a support case via admin.microsoft.com > Support > New service request if:

The MFA loop persists after trying all fixes above
Sign-in logs show no Conditional Access failures but the loop continues
The issue started after a Microsoft service update (may be a platform-side issue)
The user's account shows unusual sign-in activity suggesting compromise

MFAMicrosoft 365TroubleshootingMicrosoft Entra IDConditional Access

Was this article helpful?

Related Articles

Related Articles