After configuring two-factor authentication for Outlook Web Access [OWA], the Exchange Control Panel [ECP] is asking for a security code. Some internal administrators and Exchange Administrators don't have VIP 2FA tokens configured, and can no longer access the ECP.

No errors are present other than an inability to log in.

This is expected behavior when using forms authentication.  By default the ECP uses the same logon.aspx as OWA.

There are three solutions to resolve this expected behavior on the ECP page:

1. Modify or create a new user store, and register a credential ID to the Exchange Admins
2. Manually add the Exchange Admins to the VIP manager with credentials
3. Disable forms authentication for the ECP in IIS [https://technet.microsoft.com/en-us/library/cc731595(v=ws.10).aspx]