azuremicrosoft-entra-idmicrosoft-entra-external-id

Microsoft Entra External ID tenant locked out by MFA


I first wanted to create an Azure B2C tenant. I could not because starting may 2025, it became deprecated and Entra External ID must be used instead. So I went ahead and created a new external ID tenant under an existing subscription that I have. Everything went well and the tenant got created. However, each time I try to switch to that tenant, I get this message: enter image description here

The problem is that I get stuck here. Nothing happens. And when I try to click the button nothing happens either. So I am locked out. I tried clearing the cache, signing out then back in, nothing helped. Even worse, I deleted that tenant and started over, but now I can't use anymore the same tenant URL (eg myb2ctenant.onmicrosoft.com because it says it is used in another directory)!

When I check the IAM of this tenant in Azure portal, I can see myself as owner and the scope is Subscription (inherited). Which also means that I should have access.

In addition, I already have MFA setup and I use it regularly to login to Entra, or any other admin Microsoft platform.

I tried then to login using Azure CLI az login command. I see this warning regarding the newly created tenant:

The following tenants don't contain accessible subscriptions. Use `az login --allow-no-subscriptions` to have tenant level access.
{My tenant ID here} '{My tenant name here}'.

And in the Subscription list that I must choose from during az login process, I see only one option, my only subscription with my home tenant. There is no option whatsoever for the newly created tenant.

Now if I try to login using az login --allow-no-subscriptions I see my external ID tenant. However, under subscription name, I see N/A (tenant level account). I am expecting to see my one and only subscription, that I assigned my tenant to during creation. Also, in the Azure portal, in the overview tab of this tenant I can see the right subscription name linked to it. So why is it not showing in the CLI?

enter image description here

Edit #1

I ran this command in PowerShell enter image description here

And this is the result. It looks like I got added as a guest or external user to this tenant that I created. I can't understand the logic behind this. I am a Global admin in my home tenant, I create another tenant and I can't access it because by default I am being assigned as a guest. Then the question is, who can access that tenant and give me permissions then?!

Also, I found this Microsoft Article that contains a PowerShell Script that allows a Global Admin to postpone MFA enforcement for the tenant. However, the script fails with a message saying that I am not an admin.


Solution

  • I finally figured it out. The main issue was that I initially linked my new External ID tenant to an existing subscription that was still associated with my home directory, which caused problems.

    To resolve it, I created a new subscription and made sure to assign it directly to the new tenant / directory.

    After that, I was able to switch directories again — and this time, MFA worked as expected, and I successfully switched tenants.

    Additionally, I now see that I’m assigned the Global Administrator role by default in the new tenant, just as expected and as confirmed in the Microsoft Docs

    By default, the user who creates a Microsoft Entra tenant is automatically assigned the Global Administrator role.