Microsoft 365 MFA Prompt Loop: Three Patterns, Three Fixes

Most articles about Microsoft 365 MFA loops treat the problem as one thing. That’s why most of the fixes don’t work: they’re aiming at a target that isn’t there. An MFA prompt loop is at least three different problems wearing the same costume, and the fix depends on which one you’re actually facing.

The three patterns are: the prompt never arrives (you’re stuck on the “Approve sign-in request” screen forever); the prompt arrives but the sign-in fails afterward (you tap Approve, the app says success, the next sign-in re-prompts immediately); and the prompt arrives constantly (every Outlook send/receive, every Teams call, every Word save triggers a fresh MFA challenge).

Diagnose first. The fix order is different for each.

Quick answer

Identify which pattern you’re seeing, then run the fix:

• Pattern 1 — No prompt arrives. Microsoft Authenticator isn’t receiving notifications. Cause: time desync between phone and server, or notification permissions disabled. Fix: refresh Authenticator account, fix phone time, enable notification permissions for Microsoft Authenticator app.
• Pattern 2 — Prompt arrives, sign-in fails after approval. Token can’t persist back to the client. Cause: corrupted WAM cache or Credential Manager state. Fix: clear identity cache, sign out fully, sign back in. Same fix family as the generic “Something went wrong” sign-in error.
• Pattern 3 — Prompt arrives every few minutes. Conditional Access policy is enforcing short token lifetimes, or persistence is disabled in the browser/app. Cause: admin-side policy. Fix: change “Stay signed in?” answer, check device compliance state, and if neither helps, this is an admin-side issue requiring tenant-level changes.

If you skip the diagnosis and just run “all the fixes,” you’ll waste an hour. The patterns look similar but their roots are completely separate.

Before you start

A handful of fast checks before the deeper troubleshooting:

• Confirm your phone has signal and time sync. Open the Clock app on your phone. If the time is off by even 30 seconds, MFA challenges will fail silently. Auto-set time via cellular network.
• Check the Microsoft Authenticator app actually opens. If it crashes on launch, reinstall it before trying anything else.
• Verify there’s no active service incident at admin.microsoft.com/servicestatus. Authentication outages are rare but real, and they look identical to MFA loops.
• Note whether the loop affects only one app, all M365 apps on this device, or all your devices. That’s the diagnostic key for distinguishing user-state from account-state from policy.

What an MFA prompt loop actually is

When you sign in to a Microsoft 365 service with MFA enforced, the flow has three legs: the application requests a token, the identity service (Entra ID) issues a challenge, and after you approve the challenge, a token gets written back to the client. A “loop” means one of those three legs failed and the cycle restarts.

The reason it feels infuriating is that the failure mode looks identical from the user side regardless of which leg failed: you keep being asked to authenticate. The reason that one fix rarely solves it is that “I keep being asked to authenticate” is a symptom of three completely different underlying failures.

Identifying which pattern you’re in

Read these three patterns and find the one that matches. The fix sections below assume you’ve made this call correctly — if you’re between two, work through both, but starting with the more likely match saves time.

Pattern 1 — The prompt never arrives

You’re at the sign-in screen. It says “Approve sign-in request” with a number to match, or “Open your Authenticator app.” You open the Authenticator app. Nothing is there. No notification, no pending request, no number-match screen. The PC sign-in screen eventually times out with “We didn’t hear back.” When you click “Send another request,” the same thing happens.

This is the most common MFA loop pattern in 2026, mainly because Microsoft fully migrated to number-matching MFA. The Authenticator app needs to be reachable, time-synced, and registered to your account.

Pattern 2 — The prompt arrives, sign-in fails afterward

The Authenticator notification arrives. You enter the matching number. The app says “Sign-in approved.” The PC briefly shows progress, then bumps you back to either the same sign-in screen or a generic “Something went wrong” error. You try again. Same loop.

The MFA itself is working — the failure is downstream, in how the token gets written back to the client. This is the same failure family as generic Office sign-in errors, just surfaced through the MFA flow.

Pattern 3 — The prompt arrives constantly

You signed in successfully this morning. By lunchtime, every M365 app is challenging you again. You sign in. By 3pm, Outlook is asking again. The prompts work — they just keep coming.

This is policy enforcement, not a malfunction. Conditional Access policies, “no persistent browser sessions” enforcement, or short token lifetimes (set by admins for security reasons) cause this pattern. End-user fixes are limited; the real fix is admin-side.

Common causes by pattern

Pattern 1 causes

1. Time desync between phone and Microsoft’s auth servers. Number-matching MFA tolerates small drift, but if your phone clock is off by more than a minute, challenges fail without surfacing an error.
2. Authenticator notification permissions disabled. Phone OS-level notification permission for Microsoft Authenticator must be enabled. If it’s off (often disabled by accident or by a “battery saver” feature), the prompt never displays.
3. Account not properly registered in Authenticator. If you reinstalled Authenticator, switched phones, or recovered from cloud backup, the account entry exists but the cryptographic registration may be stale.
4. Push notifications failing at carrier or VPN level. Some corporate VPNs and some mobile carriers block APNs (Apple) or FCM (Google) push services. The notification gets sent but never reaches the phone.

Pattern 2 causes

These are the same as the generic Office sign-in error causes, reached via the MFA flow:

1. Stale or corrupted token in the local cache.
2. Bad Credential Manager entries.
3. WAM (Web Account Manager) plugin failure.
4. Broken work/school account registration on the device.

Pattern 3 causes

Almost always admin-side:

1. Sign-in frequency policy in Conditional Access requiring re-auth every X hours.
2. “Persistent browser session” disabled, forcing re-auth at every browser session.
3. Compliant device requirement that the device intermittently fails (e.g., Intune sync delay).
4. Risk-based Conditional Access triggering on a perceived risk (new IP, unusual location, impossible travel).

End users can’t change the policies, but they can sometimes change how the policies apply — see Fix 3.3 below.

Fixes — Pattern 1: No prompt arrives

Fix 1.1: Sync your phone’s time

1. On the phone, open Settings → General → Date & Time (iOS) or Settings → System → Date & Time (Android).
2. Enable Set Automatically / Use network-provided time.
3. Confirm the time updates within 60 seconds. Restart the phone if it doesn’t.
4. Try the MFA prompt again.

Fix 1.2: Enable Authenticator notifications

1. Go to phone Settings → Notifications.
2. Find Microsoft Authenticator.
3. Enable Allow Notifications, Sounds, and Banners.
4. On Android: Settings → Apps → Authenticator → Battery → set to Unrestricted (some Android battery savers kill the app in the background).
5. Try the MFA prompt again.

Fix 1.3: Refresh the account in Authenticator

This is the fix when the registration has gone stale.

1. In Microsoft Authenticator, tap your account.
2. Tap the account name at the top, then Update account settings.
3. If that’s not available, swipe-delete the account from Authenticator (don’t worry — the account isn’t lost; only the local registration is removed).
4. On a working device (a browser on a different computer), sign in to your Microsoft account at mysignins.microsoft.com (use your backup MFA method — text message, alternative authenticator, recovery code).
5. Go to Security info → Add sign-in method → Microsoft Authenticator.
6. Follow the QR-code setup to re-register Authenticator on your phone.
7. Try the MFA prompt again.

If you can’t reach mysignins.microsoft.com because Authenticator is your only MFA method, you’re in lock-out territory. End-user options here are limited — you’ll need an admin to reset MFA on your account. Persona 2 admins: see admin-side MFA loop causes.

Fix 1.4: Switch to a different MFA method temporarily

While debugging Pattern 1, you can sometimes break the loop by using a different MFA method:

1. On the sign-in screen, click I can’t use my Microsoft Authenticator app right now (or similar wording).
2. Choose a different verified method — text message, phone call, or a different authenticator app.
3. If that works, your account is fine; the issue is specifically with the Authenticator app on your phone.

This isn’t a long-term fix, but it confirms which side the failure is on.

Fixes — Pattern 2: Prompt fails after approval

These are the same fixes as for the generic “Something went wrong” sign-in error. Run them in this order:

Fix 2.1: Sign out fully and back in

File → Account → Sign out in any Office app. Close all Office apps (check Task Manager). Reopen and sign back in. The MFA approval will be required once; the token should persist this time.

Fix 2.2: Clear cached Office credentials

Press Windows + R, run control /name Microsoft.CredentialManager. Click Windows Credentials. Remove any Generic Credentials starting with MicrosoftOffice16_Data:, MicrosoftAccount:, or your work email. Reopen Office and sign in.

Fix 2.3: Reset the AAD Broker token cache

Sign out of Office. Close all Office apps. In File Explorer, navigate to %LOCALAPPDATA%\Microsoft. Rename these folders if they exist: IdentityCache, OneAuth, TokenBroker. Restart Windows. Sign in to Office.

Fix 2.4: Re-register your work account in Windows

Settings → Accounts → Access work or school → click your work account → Disconnect (only if you’re not on a corporate-managed device). Restart. Settings → Accounts → Access work or school → Connect → sign in with the work email.

If after all four fixes the loop still happens at the post-approval stage, see the deeper troubleshooting in Microsoft 365 ‘Something went wrong’ sign-in, particularly the antivirus/EDR exclusion fix.

Fixes — Pattern 3: Prompt arrives constantly

End-user fixes for Pattern 3 are limited because the cause is admin-side. But there are a few things that work.

Fix 3.1: Click “Yes” to “Stay signed in?”

When you sign in via a browser and Microsoft asks “Stay signed in?”, click Yes. This issues a persistent token rather than a session-only token. If you’ve been clicking No (or your browser is set to delete cookies on close), every browser session triggers a fresh sign-in.

This sounds trivially simple. It is. It also fixes a meaningful share of “Pattern 3” complaints.

Fix 3.2: Update your device

Conditional Access policies often require devices to be compliant — meaning up to date with patches, encrypted, and managed by Intune (on managed devices). If your device drifts out of compliance, every sign-in challenges. Run Windows Update. If you’re on a managed device, run Settings → Accounts → Access work or school → Info → Sync to force a compliance refresh.

Fix 3.3: Check whether you’re on the wrong network

Some Conditional Access policies trust corporate networks (where MFA is reduced) but require frequent re-auth from untrusted networks (home, public Wi-Fi, mobile hotspot). If the loop started when you switched networks, that’s the cause. There’s no end-user fix beyond connecting to the trusted network.

Fix 3.4: Talk to your admin

If 3.1–3.3 don’t help, the cause is policy. You’ll need to ask the IT admin to check:

• Sign-in frequency in Conditional Access (default is 90 days; some orgs set it to 1–4 hours, which produces this pattern).
• Persistent browser session enforcement.
• Device compliance state in Intune for your device.
• Whether your account is being flagged as risky by Identity Protection (which forces re-auth on every sign-in).

This isn’t optional. Without admin access, you can’t see or change these settings. If you are the admin, see admin-side MFA prompt loop causes.

Advanced fixes

If you’ve worked through all three pattern-specific fix sets and the loop persists, two more things to try:

Reset modern auth state on the device. Open an admin PowerShell. Run:

dsregcmd /leave

Restart. Then run:

dsregcmd /join

This forces a clean Entra ID device registration. Use only if you understand what device join does and you’re not on a managed device — running this on a managed device may break corporate policies and require IT to re-onboard the device.

Replace MFA method. If Pattern 1 is consistent and Authenticator refresh hasn’t helped, set up FIDO2 (a hardware security key) or Windows Hello for Business as your MFA method. Hardware keys don’t depend on phone time-sync or notification delivery and bypass many of Pattern 1’s failure modes.

Work or school device — when admin involvement is required

Three conditions where you should stop self-troubleshooting and raise a ticket:

• Pattern 3, all the time, on a managed device. This is policy. Don’t fight it; document the impact and ask for the policy to be reviewed.
• Pattern 1 with Authenticator as your only MFA method, and you can’t sign in to mysignins.microsoft.com. Only an admin can reset MFA in this case. Document your locked-out state and contact IT.
• Pattern 2 persists after all four client fixes on a managed device. Likely an EDR/antivirus exclusion is needed for WAM. Only IT can authorize the exclusion.

For Persona 2 readers (small business owners and accidental admins), the admin-side MFA loop causes guide covers the tenant-side checks for Conditional Access policies, sign-in frequency, and risk detection.

When to stop troubleshooting

Stop and escalate when:

• You’re in Pattern 1 and have no working backup MFA method. You’re locked out; no client-side fix changes that.
• You’re in Pattern 3 and Fix 3.1–3.4 haven’t helped. The cause is policy; only the admin can change it.
• You’ve tried all pattern-2 fixes and the post-approval failure persists. There’s environmental interference (typically EDR or VPN); IT needs to investigate.
• The loop happens only on this device while other devices and the browser work fine, and you’ve completed Fix 2.1–2.4. Reinstall Office.

What you should not do: pay a “Microsoft support” number that appears in a search result, install a “Microsoft 365 fix tool” from a non-Microsoft source, or call back any number from a voicemail claiming to be Microsoft. Microsoft does not call users about MFA issues, and there is no third-party tool that will fix MFA configuration.

Related errors

• Microsoft 365 ‘Something went wrong’ sign-in — Pattern 2’s broader symptom set.
• CAA50021 — when MFA approval succeeds but the device-trust check fails afterward.
• Conditional Access blocked sign-in — when policy is the cause and the message is explicit.

Official references

• Microsoft Learn: Sign-in frequency control in Conditional Access
• Microsoft Authenticator support: Common Authenticator issues
• Microsoft Learn: Number matching for MFA push notifications

FAQ

Why does Microsoft Authenticator suddenly stop receiving prompts when it was working yesterday?

Two common causes: time drift on the phone, and a battery-saver feature suspending the app. Phones can drift several seconds per day; over a couple of weeks that’s enough to fail MFA. Battery savers (especially on Android) often kill background apps without warning after an OS update. Re-enabling auto-time-sync and setting Authenticator to “Unrestricted” battery use fixes both.

Is the MFA loop a security threat?

The loop itself isn’t a threat — it’s a malfunction. But pay attention to unsolicited MFA prompts that you didn’t trigger. If your phone shows MFA approval requests when you’re not actively signing in to anything, that’s a sign someone is trying to break into your account, and you should change your password immediately.

Can I disable MFA to fix the loop?

Generally no, and you shouldn’t. On organizational accounts, MFA is enforced by tenant policy and you can’t turn it off as a user. On personal Microsoft accounts, you technically can disable two-step verification, but doing so for the sake of avoiding a loop is treating a malfunction by removing a security control. Fix the loop properly.

Will reinstalling the Authenticator app fix Pattern 1?

Sometimes — but only if you re-register your account afterward (Fix 1.3). A reinstall by itself preserves the cryptographic registration in cloud backup, so if the registration is what’s broken, restore-from-backup will reproduce the broken state. You need to remove the account from Authenticator and re-register at mysignins.microsoft.com.

My MFA loop only happens in one specific app (e.g., Outlook), but other Office apps are fine. Why?

That’s almost always a corrupted profile in that one app, not a true MFA issue. For Outlook specifically, see Outlook keeps asking for password, which has app-specific fixes. For Teams, the equivalent fix is to clear the Teams cache. The system-wide sign-in should be fine if other apps work.

How often is “constant prompting” actually a Pattern 3 issue versus a malfunction?

Roughly 70% of “Office keeps asking me to MFA every hour” complaints turn out to be Pattern 3 (a Conditional Access sign-in frequency policy of 1–4 hours) on managed devices. The other 30% are Pattern 2 issues where the post-approval token isn’t persisting. The diagnostic key is whether MFA succeeds each time (Pattern 3) or fails after approval (Pattern 2).

I’m a small business owner with no IT department — am I supposed to be the admin in this situation?

Yes, almost certainly. If you’re paying for Microsoft 365 Business Standard or Premium, you’re the global admin by default. Patterns 1 and 2 you can fix as a user. Pattern 3 requires you to put on the admin hat — see the admin-side MFA loop causes guide, which assumes a small-business admin context, not an enterprise one.