Microsoft MFA Is Down Again
Here’s What to Do Right Now.
Microsoft confirmed an active outage today affecting MFA setup and the mysignins.microsoft.com portal. Affected users are hitting 504 Gateway Timeout errors when attempting to configure MFA or access the My Sign-Ins page. Microsoft’s mitigation: failover to alternate healthy infrastructure, monitoring ongoing.
Track incident MO1329260 in the Microsoft 365 admin center for live status.
The immediate operational problem
This outage hits hardest in exactly the environments that security frameworks recommend: organizations using Conditional Access policies and VPN authentication gated behind MFA. When MFA infrastructure fails, Conditional Access evaluates an incomplete authentication signal and denies access correctly, from a security standpoint. The result is a lockout regardless of whether the user is legitimate. New employee onboarding, MFA re-registration, and self-service password resets that depend on mysignins.microsoft.com are blocked until service is restored.
The pattern
This is the fourth Microsoft MFA infrastructure outage in 2026. February 23: widespread 504 timeouts locking enterprise users out of M365. March 5: MFA gateway timeout errors across North America affecting any service requiring MFA for sign-in. Root causes vary CPU spikes, infrastructure changes, database failures — but the failure mode is the same each time: MFA becomes a single point of failure for every downstream service it protects.
The control that should already be in place
If your environment doesn’t have emergency access accounts configured in Entra ID, configure them before the next outage. Minimum: exclude at least one emergency account from all Conditional Access and MFA policies, store its credentials offline under dual control, and maintain at least two Global Admin accounts with distinct credentials and different MFA methods. This is not a workaround it’s the specific resilience control Microsoft and NIST both document for authentication infrastructure failures.
MFA failures are rare and brief. The problem is that “rare and brief” still means a lockout window, and a lockout window without an emergency access path means a support escalation to Microsoft to recover your own tenant. Document the recovery path before you need it.
- Alex