Microsoft Entra sign-in failed because MFA enrollment is required
Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '{resource}'.
Microsoft Entra ID is blocking sign-in because the user has not yet registered a multi-factor authentication method, but MFA is now required by policy. Unlike AADSTS50076 (which fires when MFA is required but not performed), this error fires specifically when the user has no MFA method registered at all. The user must complete the MFA registration process before they can access the resource.
Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '{resource}'.
Why it happens
A Conditional Access policy or per-user MFA enforcement requires MFA, but the user has not yet registered any authentication method (e.g., authenticator app, phone number, FIDO key).
Security Defaults are enabled on the tenant, which enforces MFA registration for all users, and the affected user has not completed registration.
A Conditional Access policy targeting the Microsoft Entra MFA registration process is configured in a way that prevents the user from completing registration (creating a loop).
The user is a federated user whose home identity provider does not return an MFA claim, and the resource tenant requires a registered Entra MFA method.
The user account was recently created or migrated and MFA setup was not completed as part of onboarding.
How to fix it
Direct the affected user to https://aka.ms/mfasetup (or https://mysignins.microsoft.com/security-info) to register an MFA method. Once registered, the sign-in will succeed when MFA is challenged.
If the user cannot reach the registration page due to a Conditional Access policy blocking it: in the Entra admin center, go to Protection > Conditional Access > select the MFA registration policy, and temporarily exclude the user so they can complete registration.
If MFA registration is blocked by a location or device compliance policy, ensure the user is on a compliant device or a trusted network before attempting registration.
For bulk onboarding scenarios, admins can use the Temporary Access Pass (TAP) feature to issue a time-limited passcode that allows a user to sign in and register MFA methods without needing existing MFA. Navigate to Users > select the user > Authentication methods > Add authentication method > Temporary Access Pass.
If per-user MFA enforcement is causing this for users who should be exempt: navigate to Microsoft Entra admin center > Users > Per-user MFA, find the user, and change their status to Disabled.
Review the Microsoft Entra ID Protection MFA registration policy (Protection > Identity Protection > MFA registration policy) to confirm it is scoped correctly and is not inadvertently including users who lack the ability to register.
