In Microsoft Entra External ID, we’ve noticed that unused verification codes generated for sign-up and two-factor authentication can still be used in two scenarios, even after a new code has been requested: During the same registration/login attempt. When the current registration/login process is canceled, and a new one is initiated. While used codes are correctly blocked from reuse, unused codes remain valid and can be reused across new registration or login attempts. Could you please clarify : Whether it’s possible to restrict the usage of old, unused codes in new registration or login attempts. If there’s a way to invalidate all previous codes whenever a new code is generated.

Handling Unused Verification Codes in Microsoft Entra External ID.

Aakash Goswami 5

In Microsoft Entra External ID, we’ve noticed that unused verification codes generated for sign-up and two-factor authentication can still be used in two scenarios, even after a new code has been requested:

During the same registration/login attempt.
When the current registration/login process is canceled, and a new one is initiated.

While used codes are correctly blocked from reuse, unused codes remain valid and can be reused across new registration or login attempts.

Could you please clarify:

Whether it’s possible to restrict the usage of old, unused codes in new registration or login attempts.
If there’s a way to invalidate all previous codes whenever a new code is generated.

Share via

Handling Unused Verification Codes in Microsoft Entra External ID.

Your answer