Was stumpted on this one and had to get advice from Microsoft Support.
A single user couldn’t log in via Multi-Factor Authentication. SMS code would say it was sent, wouldn’t come through. Phone call also wouldn’t come through. Trying to set up another MFA method aka.ms/mfasetup would receive one of these errors:
You are blocked from performing this operation. Please contact your administrator for help.
We’re sorry, we ran into a problem. Please select “Next to try again.
There were zero search results for that first error word for word, which is never a good sign.
There’s several areas you can check for blocked users such as:
https://protection.office.com/restrictedusers
https://protection.office.com/threatincidents
https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskyUsers
But I couldn’t find the user listed in any of those.
After logging a case, Microsoft Support advised to check here:
And of course, that’s where the user was listed. They’d had some suspicious activity (a MFA phone call they didn’t initiate) so chose the option to block future sign in attempts, as you’d hope. This also triggered an email alert to admins, and that link is where the user’s block is listed until released.
Really useful article. Many thanks for posting.
This saved my sanity!!!!!!! Thank you!
Aside from Global Admin, what roles are required to allow a helpdesk the ability to unblock users from the https://portal.azure.com/#view/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/~/BlockedUsers blade? I can’t seem to find any documentation.
OMG, this was a life saver as I was having the hardest time figuring out my end-users issues. Thank you for taking the time to post this.
Really saved my 3 day issue, even Microsoft can’t solve it! Thank you.
DUDE you are the BEST. I had a teacher in our district that COULD NOT get a text and I could not find an answer based on the first few screenshots he sent. Then I had a remote session and we got that “You are blocked from performing…” message which brought me to you. That brought me to this area in Azure for blocked MFA users. (who knew?) And there he was! He said he was using the authenticator app and accidentally hit the “it’s not me” button and that is what threw him into the blocked list. Anyway I learned something new today and I thank you for posting this.
That’s very kind of you and thank you for taking the time to post your thanks!
I’ll add my own thanks — out of the 7 school districts we support I have ONE user with this issue and could not figure it out. It wasn’t until I took over a ‘known working’ department iPad and tried setting up Authenticator without success that I finally found your post. Cleared the issue right up for us!
Thx this save me so much time !
You’re a legend. Had a user suddenly unable to receive MFA codes via SMS, getting errors like “Sorry, we’re having trouble verifying your account. Please try again.” with error code 500121.
Only when I tried authenticating via phone call where we received the “You are blocked from performing this operation. Please contact your administrator for help.” error. It was specific enough that it landed me here. Thank you!
No idea how to thank you. Really useful.
Awesome!! Saved me a lot of messing about
Thanks for posting this, explained exactly the issue one of my users was having. Even tried resetting their authentication methods to resolve. Saved a lot of time once I had the relevant error message.