Microsoft Entra External ID tenant locked out by MFA
I first wanted to create an Azure B2C tenant. I could not because starting may 2025, it became deprecated and Entra External ID must be used instead. So I went ahead and created a new external ID tenant under an existing subscription that I have. Everything went well and the tenant got created. However, each time I try to switch to that tenant, I get this message:
The problem is that I get stuck here. Nothing happens. And when I try to click the button nothing happens either. So I am locked out. I tried clearing the cache, signing out then back in, nothing helped. Even worse, I deleted that tenant and started over, but now I can't use anymore the same tenant URL (eg myb2ctenant.onmicrosoft.com because it says it is used in another directory)!
When I check the IAM of this tenant in Azure portal, I can see myself as owner and the scope is Subscription (inherited). Which also means that I should have access.
In addition, I already have MFA setup and I use it regularly to login to Entra, or any other admin Microsoft platform.
I tried then to login using Azure CLI az login command. I see this warning regarding the newly created tenant:
The following tenants don't contain accessible subscriptions. Use `az login --allow-no-subscriptions` to have tenant level access.
{My tenant ID here} '{My tenant name here}'.
And in the Subscription list that I must choose from during az login process, I see only one option, my only subscription with my home tenant. There is no option whatsoever for the newly created tenant.
Now if I try to login using az login --allow-no-subscriptions I see my external ID tenant. However, under subscription name, I see N/A (tenant level account). I am expecting to see my one and only subscription, that I assigned my tenant to during creation. Also, in the Azure portal, in the overview tab of this tenant I can see the right subscription name linked to it. So why is it not showing in the CLI?
Edit #1
I ran this command in PowerShell
And this is the result. It looks like I got added as a guest or external user to this tenant that I created. I can't understand the logic behind this. I am a Global admin in my home tenant, I create another tenant and I can't access it because by default I am being assigned as a guest. Then the question is, who can access that tenant and give me permissions then?!
Also, I found this Microsoft Article that contains a PowerShell Script that allows a Global Admin to postpone MFA enforcement for the tenant. However, the script fails with a message saying that I am not an admin.
I finally figured it out. The main issue was that I initially linked my new External ID tenant to an existing subscription that was still associated with my home directory, which caused problems.
To resolve it, I created a new subscription and made sure to assign it directly to the new tenant / directory.
After that, I was able to switch directories again — and this time, MFA worked as expected, and I successfully switched tenants.
Additionally, I now see that I’m assigned the Global Administrator role by default in the new tenant, just as expected and as confirmed in the Microsoft Docs
By default, the user who creates a Microsoft Entra tenant is automatically assigned the Global Administrator role.
- Re-send dead letter message in Azure Bus
- How to do random sampling of rows in Synapse Analytics serverless SQL pool?
- How to skip admin approval for external users in an Entra ID multi-tenant application
- Bicep How to use external file to be used in Deployment Script?
- Insufficient Privileges error when retrieving AD User's Entra ID from Microsoft Graph API using email address
- What is the correct way to set a cookie expiration when using Azure AD to login users to an ASP.NET Core 5 Web Application?
- How can I Parse Json in a Azure Function
- Alchemy Websockets: Can't host server on Azure
- How to connect secrets value stored in Azure key vault to Azure app service env variables directly
- I need to use some query results in an alert email notification in Azure ApplicationInsights
- Azure DevOps Pull work items in tree level in Excel
- Azure Event Hubs to share specific partitions with specific consumer groups
- Azure AD B2C vs Microsoft Entra External ID
- How to query OAuth2 permission grants for service principals in Entra ID using Microsoft Graph PowerShell
- How to get the app role's value given an app role ID in Entra ID using Microsoft Graph Powershell?
- How to list all directory extension definitions within an Entra ID tenant?
- How to get error message from action in Logic App
- How do I enable my Azure pipeline to checkout a submodule using Git?
- Azure Mobile App using existing database that has identity column not called id
- Devops self hosted agent - submodule checkout SSH host key verification failed
- How can I read a XML file Azure Databricks Spark
- Azure Command-Line Interface (CLI) error running .NET 8 console app
- Azure windows VM extensions are provisioning failed state VM agent is "Ready" but Backup failed at VM running State GuestAgentSnapshotTaskStatusError
- Android scheme not accepted by IOS when submitting react-native app through Expo EAS
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Access Azure DevOps Artifact Feed from different organization
- Duplicate record handling with Azure Data Explorer
- File upload fails with 413 Request Entity Too Large in Azure app service but not while running locally
- Azure Tables: best practices for choosing partition/row keys
- Access Denied when accessing Azure Key vault from Azure Functions