Locked out after enabling “Phishing-resistant MFA” CA for all admins — Authenticator passkey + WHfB rejected
I think I completely locked myself out of my M365 tenant.
I enabled a Conditional Access policy requiring “Phishing-resistant MFA” for all admin accounts.
I DO have:
- a passkey created in Microsoft Authenticator
- Windows Hello for Business configured
But both are rejected during sign-in.
I only get a generic error:
“Something went wrong”
with no additional details at all.
I expected Authenticator passkeys and WHfB to satisfy the phishing-resistant MFA requirement, but apparently not in my setup.
Has anyone already hit this exact issue?
Is there a known limitation/bug with Authenticator passkeys + Authentication Strength policies?
Right now I have no active admin session left open.
EDIT : ITS WORKING AGAIN
I finally managed to access the tenant by signing into a PC with my admin account and configuring Windows Hello. The PIN failed, but fingerprint authentication finally worked and let me back in.
I disabled the CA immediately and created a proper break-glass account. I fully admit I was careless, but honestly Microsoft also shares some responsibility here because this whole flow is clearly not mature enough yet.
PS: Some people here are honestly malicious and seem to enjoy seeing a fellow admin in trouble. Human mistakes happen very quickly, and a situation like this can genuinely keep you awake all night.