Microsoft
MicrosoftAlexey Goncharov - Let's assume the below,
1. Tenant A has MFA enabled for all users and configured the authenticator app as the only second factor (unable to enable other factors like SMS/e-mail due to security reasons)
2. User X from Tenant A had registered the authenticator app five times
3. User X has either lost or changed five devices (device is not in possession)
When user X logs into myapps/myaccount, it prompts for second factor. Since the user do not have a way to receive the second factor, user is unable to login. User then calls the admin and admin resets the user's MFA registration status.
When the user logs in again, user is prompted to register for second factor (which is mobile app), when user tries to register the authenticator app for the sixth time, user receives an error "You cannot have more than 5 hardware tokens or authenticator apps...."
Now the user cannot delete the existing registration since myapps/myaccounts are MFA enabled and there is no way for admin to delete those user registrations.
This is a kind of weird scenario, but not uncommon as few customers are experiencing this.