Microsoft Authenticator error 500121 is a multi-factor authentication (MFA) failure that blocks sign-in to Microsoft 365, Microsoft Entra ID (formerly Azure AD), and work or school accounts. This guide covers every confirmed fix — from a 30-second time sync to a full MFA reset for locked-out admins.
Microsoft Authenticator Error 500121 – Quick Overview
| Field | Details |
|---|---|
| Error Code | 500121 |
| Affected App | Microsoft Authenticator |
| Platform | Microsoft 365 / Microsoft Entra ID |
| Authentication Type | Multi-Factor Authentication (MFA) |
| Fastest Fix | Sync device time → try again |
| Related Error Codes | AADSTS50126, AADSTS50076, AADSTS53003 |
What Is Microsoft Authenticator Error 500121?
Error code 500121 means Microsoft could not complete the authentication request because MFA validation failed. It appears during sign-in to Microsoft 365, Microsoft Entra ID, or any federated app that enforces strong MFA.
The error screen typically shows:
- Error code:
500121 - A Request ID and Correlation ID (save these — you will need them if you contact Microsoft Support)
- A timestamp of the failed sign-in attempt
Note: Error 500121 is almost never caused by a Microsoft server outage. It is a client-side or policy problem that you can fix yourself in most cases.
Why Microsoft Authenticator Error 500121 Happens
One or more of the following conditions triggers this error:
- You denied an MFA prompt or tapped “Not me” in the Authenticator app
- A Temporary Access Pass (TAP) has expired or was already used once
- A Conditional Access policy blocks sign-in due to device, location, or risk level
- The Authenticator app is outdated or the MFA secret has become corrupted
- Your device time is out of sync — even a few seconds of clock drift invalidates time-based one-time passwords (TOTP)
- Microsoft Identity Protection flagged the sign-in as high risk (for example, after a suspicious login from another country)
Time drift warning: TOTP codes are valid for only 30 seconds and are calculated from your device clock. A clock that is 60 seconds off will generate codes that Microsoft’s servers reject every time, causing a persistent error 500121 loop.
Common Scenarios Where Error 500121 Appears
| Your Situation | Most Likely Cause | Fastest Fix |
|---|---|---|
| MFA codes never appear in the app | Time sync or corrupted secret | Fix 1: Sync device time |
| You denied an MFA prompt | Identity Protection block | Fix 4: Reset MFA registration |
| Login fails on a new device only | Device not trusted / Conditional Access | Fix 3: Check CA policies |
| MFA prompt never arrives | Push notification blocked or app outdated | Fix 6: Update or reinstall app |
| Blocked immediately after password | Conditional Access location block | Fix 3: Check CA policies |
| Sole admin locked out | MFA reset required | Fix 4 + request TAP from Microsoft |
Step-by-Step Fixes for Microsoft Authenticator Error 500121
Work through these in order. Most users resolve the issue by fix 1 or fix 2.
1. Sync Your Device Time (Most Common Fix)
Time mismatch is the single most common cause of error 500121 on Microsoft Authenticator. Microsoft uses time-based one-time passwords (TOTP) — a 30-second window — so even minor clock drift causes every code to fail.
On Android:
- Open Settings → General management → Date and time
- Enable Automatic date and time and Automatic time zone
- Restart the device
On iOS (iPhone/iPad):
- Open Settings → General → Date & Time
- Enable Set Automatically
- Restart the device
After restarting, open Microsoft Authenticator and try signing in again.
Quick test: Open Authenticator, tap your account, and tap Correct time for codes (Android only). The app will resync with a time server and flag if drift was detected.
2. Remove and Re-Add Your Account in Authenticator
If time sync did not help, re-registering the Authenticator app refreshes the shared MFA secret between your device and Microsoft’s servers. This resolves most persistent 500121 errors.
- Open Microsoft Authenticator on your phone
- Tap your account name → tap Remove account
- On a PC or trusted device, go to mysignins.microsoft.com/security-info
- Sign in (use an alternate method such as SMS if available)
- Select Add sign-in method → Authenticator app
- Scan the new QR code with your phone to re-register
Do not delete the account from Authenticator until you have confirmed you can access the Security Info page via another method (SMS, email code, or a trusted PC).
3. Check Conditional Access and MFA Policies — Admins Only
If you manage the Microsoft Entra tenant, a policy may be blocking sign-in based on device compliance, network location, or risk score.
- Open Microsoft Entra Admin Center (entra.microsoft.com)
- Go to Users → Multi-Factor Authentication
- Confirm the affected account is not listed as Blocked
- Navigate to Protection → Conditional Access → Policies and review active policies
- Check Sign-in logs under Monitoring — filter by the user and look for a Failure reason
Common policy-related block reasons include: device not compliant, sign-in from a non-approved location, or sign-in risk flagged as High by Identity Protection.
4. Reset MFA Registration (If You’re Locked Out)
If you cannot complete any MFA step at all:
If you have an IT admin:
- Ask the admin to open Entra Admin Center → Users → [your account] → Authentication methods
- Select Require re-register MFA
- The next sign-in will prompt you to set up MFA fresh
If you are the only admin (see also the dedicated section below):
- Try signing in from a network or device you previously used successfully
- Try any backup MFA method already on your account (SMS, backup code)
- Contact Microsoft Support and provide: error code
500121, the Request ID, Correlation ID, and the timestamp from the error page
5. Use Alternate MFA Methods (SMS or Phone Call)
If your organisation allows alternative verification methods and the Authenticator app is failing unexpectedly:
- During sign-in, click Other ways to sign in or I can’t use my Microsoft Authenticator app right now
- Choose Text a code or Call my phone
- Complete sign-in, then visit Security Info to fix the Authenticator registration
Best practice: Always register at least two MFA methods (Authenticator app + SMS) so one is always available as a fallback.
6. Update or Reinstall Microsoft Authenticator
An outdated or corrupted app can silently fail to generate or deliver MFA codes.
- Open the Play Store (Android) or App Store (iOS) and search for Microsoft Authenticator
- Tap Update if available
- If the update does not help, uninstall the app completely and reinstall it
- Re-add your account using a fresh QR code from the Security Info page (follow the steps in Fix 2)
Uninstalling Authenticator removes all accounts from the app. Make sure you have an alternate MFA method or access to backup codes before uninstalling.
7. Fix Browser-Related MFA Issues (Web Login)
If MFA prompts fail specifically in a browser during web-based Microsoft 365 sign-in:
- Clear browser cache and cookies: Settings → Privacy → Clear browsing data
- Make sure JavaScript is enabled
- Disable ad blockers or script-blocking extensions temporarily
- Avoid using private or incognito mode — Microsoft’s MFA flow requires session cookies
- Try a different browser (Edge, Chrome, Firefox) to isolate the issue
What If You’re the Only Administrator?
Being the sole admin makes error 500121 significantly more serious, since there is no other account that can reset your MFA. Try these steps in order:
- Sign in from a previously trusted device or network — Microsoft may allow sign-in from a known device without the full MFA challenge
- Use any backup MFA method already configured on the account (SMS, backup email, FIDO2 key)
- Check for a Temporary Access Pass (TAP) — if one was previously created, use it now
- Contact Microsoft Support at support.microsoft.com and request tenant recovery. You will need to verify identity ownership. Have ready:
- Error code:
500121 - Request ID (from the error screen)
- Correlation ID (from the error screen)
- Timestamp of the failed sign-in
- Error code:
Prevention tip: Create a second emergency admin account in Entra ID and configure it with a hardware FIDO2 key or backup email MFA. Store it securely — you only need it in break-glass scenarios like this.
How to Prevent Error 500121 From Returning
- Keep the Microsoft Authenticator app updated — enable automatic app updates on your phone
- Always register at least two MFA methods on your account
- Keep your phone’s date and time set to automatic
- Never tap “Not me” or deny an MFA prompt unless you are certain it is fraudulent — doing so can trigger an Identity Protection block
- If you do deny a prompt due to a suspected phishing attempt, report it to your IT admin immediately so they can review the sign-in log
- Create and store backup MFA codes via Security Info before you need them
FAQs Microsoft Authenticator Error 500121
What causes Microsoft Authenticator error 500121?
Error 500121 is most commonly caused by device time sync issues, a denied MFA prompt, an expired Temporary Access Pass, or a Conditional Access policy block in Microsoft Entra ID. Time drift is the single most frequent culprit.
Is error 500121 a Microsoft server outage?
In the vast majority of cases, no. It is a client-side or policy issue. You can verify Microsoft service health at status.office.com to rule out an outage.
Can error 500121 be fixed without reinstalling the Authenticator app?
Yes. Syncing device time or re-approving the MFA prompt resolves the issue for most users without any reinstall.
Why does error 500121 keep coming back?
Recurring error 500121 usually points to an ongoing time sync problem (the phone clock is drifting), an outdated Authenticator app, or a Conditional Access policy that keeps blocking the specific device or location.
How is error 500121 different from AADSTS50126 or AADSTS50076?
AADSTS50126 indicates invalid credentials (wrong password), while AADSTS50076 means MFA is required but was not provided. Error 500121 specifically means MFA was initiated but the verification step failed — the user got the prompt but the code or approval was rejected.
What should I do if I am completely locked out as the only admin?
Try signing in from a previously trusted device or network. If that fails, contact Microsoft Support with your error code, Request ID, and Correlation ID to request a Temporary Access Pass for tenant recovery.
Microsoft Authenticator error 500121 can feel like a total lockout, but it is almost always solvable. The majority of users fix it in under five minutes by syncing device time (Fix 1) or re-registering the Authenticator app (Fix 2).
If those quick fixes do not work, the problem is usually a Conditional Access policy (Fix 3), a denied MFA prompt triggering an Identity Protection block (Fix 4), or an outdated app (Fix 6).
Going forward, configure a second MFA method on every account and keep your Authenticator app on automatic updates — both steps will prevent this error from recurring.
