Entra MFA - Multiple Issues

at_work 0 Reputation points
2026-04-30T01:41:43.4+00:00
  1. SMS must be enabled as an authentication method for new user initial login and authenticator setup.
    1. If SMS is disabled, the user gets a prompt to contact admin, and that they are blocked from signing in (this is despite there being multiple other auth methods enabled)
    2. This was after using TAP for initial sign-in (I want to sunset passwords)
  2. Accounts excluded from MFA CA are still prompted or required to set up MFA, even disabled legacy authentication methods.
    1. Fido2 keys not available as an MFA method despite being explicitly enabled in auth method policies.
    2. I had to use a TAP in order to set up a YubiKey usb fido2 key with my Break Glass Account.
  3. My tenant is a legacy tenant -- is this the reason why my Entra auth policies don't work?
  4. How do I make my tenant passwordless for all users? Or all users who are not Service Accounts, Break Glass Accounts, and Administrators?
Microsoft Security | Microsoft Entra | Microsoft Entra ID

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.