![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 76%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPH%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Error code 399287 indicates that the phone number used for SMS has been flagged with a “bad reputation” and is blocked for Microsoft Entra multifactor authentication. When this happens, SMS verification will fail and, if no other MFA methods are configured, access to the admin account can be blocked.
Forum moderators and community engineers cannot directly fix this; the issue must be handled by Microsoft support/Data Protection.
Use the following approach:
- If there is another global admin
- Sign in with another global admin account (if available).
- In the Azure portal, go to Microsoft Entra ID → Users → select the affected admin.
- Check if Block sign in is enabled; if so, disable it.
- Reset the user’s MFA methods and add an alternative method (such as Microsoft Authenticator or another phone number) so sign-in does not depend on the blocked SMS number.
- If this is the only admin account
- Contact Microsoft support and ask specifically for the Microsoft 365 Data Protection team to assist with admin account recovery and MFA reset. They have internal tools to:
- Clear the “bad reputation”/block on the phone number, or
- Reset MFA for the locked global admin so a new method can be configured.
- If direct support access is not possible because sign-in is blocked, create a new temporary Microsoft 365 trial tenant, go to admin.microsoft.com → Support → Help & support, and open a service request from there. Clearly state that:
- This is a different tenant used only to contact support.
- The problem is with a separate production tenant where the only global admin is locked out due to SMS MFA error 399287.
- Provide the affected tenant domain, the admin UPN, the error code (399287), and that SMS MFA is the only configured method.
- Contact Microsoft support and ask specifically for the Microsoft 365 Data Protection team to assist with admin account recovery and MFA reset. They have internal tools to:
- After support resets MFA or clears the block
- Sign in to the admin account.
- Immediately configure multiple MFA methods (Microsoft Authenticator app, an additional phone number, possibly security keys) to avoid being locked out again if SMS fails.
The actual unblock/reset for error 399287 can only be completed by Microsoft support/Data Protection; community tagging of individual engineers is not sufficient to resolve it.
References:
- You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
- Troubleshoot Microsoft verification code issues
- Common problems with two-step verification for a work or school account
- "Account verification system is having trouble" error message when you try to sign in by using a work or school account
- 399287 - Microsoft Q&A Unable to Verify Identity for Azure Login – Error 399287
- Azure has blocked myphone number for SMS verification due to a “bad reputation” flag - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- MFA admin account no longer works - Microsoft Q&A