Users are being forced to use Microsoft Authenticator app

Zack Anderson 110

I have users that are being FORCED to setup the MS Authenticator app to sign into cloud apps in a browser.

This is Microsoft's example screen and next to it is what my users are seeing. The Not now button is missing.

I do NOT have security defaults enabled.

I do NOT have conditional access policies enabled.

I can't force users to use a smartphone app if I don't pay for them to have a smart phone.

MFA setup missing Not Now.png

MFA Microsoft's example.png

Michael 70 Reputation points

2023-08-02T02:57:22.21+00:00

This just started creeping up in our organization over the past few days, causing confusion.

Agree with your statement, "I can't force users to use a smartphone app if I don't pay for them to have a smart phone."

We have a few, more than a few, non-tech individuals.
Tina Maddox 20 Reputation points

2023-08-21T19:23:04.6033333+00:00

As an admin on our account we've used 2fa for years but not forcing the Microsoft authentication app. Now I am unable to login without using it. We as a company do not use that application at all and am looking for a way to continue using the secure method we have setup for our users.

Does anyone have any advice on getting past this?
Tina Maddox 20 Reputation points

2023-08-21T19:24:46.2833333+00:00

This is what is available for an Admin account.
Dan Foote 25 Reputation points

2023-09-25T16:55:20.0233333+00:00

It appears that the ability to set up an authenticator app OTHER THAN Microsoft Authenticator has been removed.

WHY? Yes, I'm shouting. This is BS. We've used MFA authentication for multiple sites for ages, yet that capability has been removed. Now we're being forced to use an App that we don't like? Or use?
Noah Mogor 5 Reputation points

2023-10-03T23:54:33.6066667+00:00

OK - so I've disabled everything related to this in Entra, as well as the Azure portal, and my clients workstations are STILL getting inescapable prompts for this ridiculous feature. Is there something that needs to be done on the workstation side to sync with these settings and get rid of this mess?
JustHereToHelp 10 Reputation points

2023-10-05T20:13:22.48+00:00

I just added a quick guide of what I did to solve it today.
Paul Craven 15 Reputation points

2023-10-09T09:36:00.8833333+00:00

Can Microsoft please send the the MS invoice details, so that I can bill MS for the time I spend fixing their constant unwanted changes?

It's about time MS started feeling the pain.

I'll warn them now, 90% of my customers would leave MS in a heartbeat if a simple, reliable alternative appeared.
Anonymous

2023-10-10T05:59:57.4266667+00:00
Hi everyone,

So this doesnt seem clear to me.

Will Microsoft make definitly deprecated SMS auth ? If so, when ?

If some users, for any reason, dont want to install such app to authenticate, is it possible or not to keep SMS auth for 2FA ? If so, how to do in Entra ?

If I set MS campaign to disabled, what wil happen to SMS auth ? Disabled anyway after how many days or what ???

Please MS make your communications CLEAR !!!
Qingzhang Li （李庆章） 0 Reputation points

2023-10-13T05:54:15.4966667+00:00

how is about the users in China? for Android users, this "Microsoft Authenticator "APP could not be found in the China local APP Store, google play is not available in China, how should we use the "Authenticator" app rather than SMS ?
siu on leung 0 Reputation points

2023-10-18T17:19:29.2966667+00:00

Many users get very angry and complain the change of Microsoft. They don't want to install any App on their mobile. We need to have options for get the verification code though SMS / App.

Is Microsoft want to reduce the cost of send SMS code???

DON'T ENFORCE everyone to use / register Microsoft Auth App
Martin Kimzey 10 Reputation points

2023-10-25T12:44:55.93+00:00
This was poorly handled by Microsoft.

I too was forced to install the authenticator app.

The services and applications that we pay Microsoft for should not be held hostage to installing an authenticator app.

Just to be clear, people were blindsided by being forced to install the authenticator app. To people who could not open their applications, this was like a ransomware attack.

Many small businesses and individuals with Office 365 are not power users. Small businesses don't always have network admins. They also do not have large amounts of time to figure out settings that they have never dealt with so they can email people from Office 365 with gmail, Go-Daddy, and other domains that are not Microsoft.

Not having access to our applications and having to stop work to figure out the authenticator app (or switch to Open Office) - is not a welcome change of pace.

There was no warning. I arrived at my worksite and could not open any of the Office applications that I have been using for years.

When I setup a hotspot to check Office 365, I could not access my account until I installed the authenticator app. I am at a site with iffy cellular. so, naturally, the installation does not work. I have no instructions from Microsoft on how to make this installation optional. I am in a conference room, apologizing for not being able to discuss what I traveled to talk about.

Instead of spending one day on site, I now need two. All on my dime. I have to reschedule other clients.

I have two Office 365 sites - one for a business (which was hosed by this) and one for an R&D group. Members of the R&D group will be blindsided by being forced to install an authenticator app.

Until now, Office 365 was a tool that I could rely on. Office 365 applications not starting because it can't verify the account - followed by being forced to install an app on your smartphone probably cost me a client.

This is not Microsoft Office 365 being a reliable set of tools that I can depend on. This is being held at gunpoint, the thought process behind ransomware and an absence of consideration for Microsoft's clients.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Algo 40 Reputation points

2023-11-15T14:48:50.2966667+00:00

You know what's worse? when I signed up to comment here, I'm FORCED to tick allow Microsoft to send offers, deals, etc else I can't proceed.

And Authenticator FORCED me to install EDGE else I can't view on smartphone. Upon installing EDGE the connection is CUT without any mention of Authenticator and loops me again to install EDGE as FORCED.

Biggest joke is... after logging in using AUTHENTICATOR Android, on my laptop it prompts me to force fed install AUTHENTICATOR again. Duh if I can login my EMAIL OTP via Authenticator means I already have it, why FORCEFED me with another AUTHENTICATOR part 2!!??!??!

Whoever created this should be shot. Worst irritating forceful app forcing companies to use it.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Raiyad Raad 20 Reputation points

2023-12-21T18:07:19.4033333+00:00

Microsoft is the worst ever company that is against open-source and freedom. No matter how much they contribute to open source deep inside they are against it. I just needed to log into my outlook mail. It forced me to download MS Authenticator app. Is there a reason why other Authenticator apps are not possible to be used in this case? Other tech companies allow other authenticator apps without any problems.
Joshua Konkle 20 Reputation points

2024-01-11T15:19:57.1566667+00:00

Microsoft has a policy inheritance rule for things they want to turn on for "marketing" and "customer adoption" of their lesser known software. In this case, it's authenticator. Conversely, I'm sure there are some large enterprises seeking to have a unified authenticator app for business use, hence the justification. The issue is that within each container/organization, Microsoft has tied the default setting to a "Microsoft managed" policy inheritance rule, see https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement at the top in Purple, where MSFT turned this on in June of 2023, well started to roll it out. I've not been able to locate a full list of settings that default to policy inheritance from "Microsoft managed", it looks like it's only used in this marketing/user adoption push for the Microsoft Authenticator app. There are those of us who've been around since Group Policy and RSOP was a death sentence if you were doing it on paper, that's what this feels like. In this case there needs to be a clear list of RSOP based on Microsoft Managed, but alas I don't see a list of settings controlled via "Microsoft Managed" In any case, turn off Microsoft Managed (aka Microsoft marketing) and set to disable if you don't need the setting/feature enabled, but the trick is the setting is in "entra ID" management UI, not the default admin user management section. In entra id --> Identity --> Protection --> Authentication Methods, then review Policies, Registration Campaign, and Settings, make sure Microsoft Authenticator is turned off or disabled in all three (facepalm).
Vickie Spindler 0 Reputation points

2024-04-10T22:28:55.6+00:00

I am furious that I am being forced to use authenticator in order to sync my notebooks. I am a business owner and make all of my own decisions. I am a paying customer who should be able to choose whether I want extra security. I can't figure out how to disable authenticator. When I have time to deal with this, I'm quitting Microsoft and using only when absolutely necessary!
Nic Arrington 0 Reputation points

2024-04-12T13:40:13.82+00:00

NONE of the suggested solutions worked for me. I have a service account used by multiple people and some servers for communication and authentication on our domain. This account IS the mfa account. To have to use the authenticator app is not only unnecessary, 1> it's overkill, and 2> ONLY ONE PERSON CAN BE SET UP WITH THE APP!!! so unless Microsoft enables the ability for multiple people to have an authentication app on multiple phones to be able to get into this MOTHER-FOXTROT-UNIFORM-CHARLIE-KILO-ING SERVICE ACCOUNT, they've successfully ended their usefulness.
Tony Miller 20 Reputation points

2024-07-02T03:22:27.0466667+00:00

Good old MS start with a good product and then gradually destroy it with upgrades

I am using a desktop to log in to power bi service and it wants me to install the authenticator app - but only wants it on a mobile phone

So I am locked out of my account - Nice one Microsoft

Accepted answer

Dillon Silzer 57,831 Reputation points Volunteer Moderator

2023-07-28T16:43:38.43+00:00

Hello Zack,

Please go to Entra > Protection > Authentication methods > Registration campaign

Check whether Microsoft Authenticator is applied for All users. If so, you can change who it is applied to by clicking All users.

If this is helpful please accept answer.
Please sign in to rate this answer.

35 people found this answer helpful.
Zack Anderson 110 Reputation points

2023-07-28T16:47:06.7433333+00:00

That's right where it was!
Thanks so much for the quick reply. I've set it to just myself for now and might use it at a later date to roll it out.

Dillon Silzer 57,831 Reputation points Volunteer Moderator

2023-07-28T16:48:15.4066667+00:00

Awesome! Have a great day!

Seema Kanwal Gurmani 336 Reputation points

2023-08-02T06:16:17.5733333+00:00

I have a Similar Issue that users are being forced to Download the Microsoft Authenticator App even though we have text message for authentication purpose. Here are the screenshots of the Setting from my end: ScreenShot2.PNG ScreenShot1.PNG

IT 20 Reputation points

2023-08-09T19:35:47.56+00:00

So how do we select no users? Because trust me, nobody wants to use your auth app, especially when its forced on us by default seemingly out of the blue. I suppose I could just select one throw away account but looks like "nobody" isnt an option. Clearing all users and attempting to save results in an error. TIA

Anonymous

2023-08-15T14:01:54.62+00:00

Why is this greyed out and I can't change it? I have full admin rights.

Ken Gilbert 55 Reputation points

2023-08-29T16:02:55.0766667+00:00

I disabled it and it seems to have worked so far.

Michal Jan Warecki 0 Reputation points

2023-09-06T08:12:10.39+00:00

Thanks a lot for this, it made one less frustrated Office user at our office :) It's curious that it seems impossible to disable enforcing of the app for all users, or that at least one user has to be forcibly enrolled in the Authenticator app. Thankfully we have users that use the app already, so I could set it to one of them.

Admin 15 Reputation points

2023-09-06T15:17:35.54+00:00

What the heck (I'll be nice here) is Entra? Never heard of it, but I see that there is a "Microsoft Entra admin center". It took me a while to find that out, but once I did....I was able to drill into Protection>> Authentication Methods >> Registration Campaign and then *disable the entire Registration Campaign by changing the State = Disabled.

This is another one of MS stupid ideas just to control the market and make more $$$

Please stop making changes that FORCE people to do things like this.

TS 0 Reputation points

2023-09-22T07:32:29.7333333+00:00

My sidebar menu looks completely different, there's no submenu called "Protection". I found it on the overview page under feature highlights > authentication methods.

Haroon Raza 0 Reputation points

2023-10-03T17:38:58.04+00:00

Thank you that was right there to change the settings.

Zachary Judd 5 Reputation points

2023-10-05T16:14:56.3733333+00:00

The menu that Dillon Silzer mentioned was the correct location. But rather than changing the Included Users and Groups, what you can do/what I did was simply turn the State to Disabled (under settings, above the Included Users and Groups section. Still within the Registration Campaign tab.) Just a heads up to anyone running into this!

We did not have security defaults enabled, but had MFA enabled (and for some users, enforced) manually for specific users already. They already had MFA setup via text/phone call, yet were FORCED to setup with the Authenticator app until I disabled this. Just to further elaborate.

Aditya Garg 66 Reputation points

2023-10-06T15:49:57.3066667+00:00

+1, it is possible to disable this completely to avoid users having other 2nd Factor like SMS from getting prompt as mentioned here : https://learn.microsoft.com/en-us/answers/questions/1307030/changes-to-the-registration-campaign-feature-in-az

Sign in to the Microsoft Entra admin center as Authentication Policy Administrator or Global Administrator.

Browse to Protection > Authentication methods > Registration campaign and click Edit.

For State, click Disabled.

Anonymous

2023-10-11T06:02:57.6233333+00:00

If we set to Disabled the Protection > Authentication methods > Registration campaign, will SMS continue to work after 20 octobre ?

WB 0 Reputation points

2023-11-25T14:32:12.4866667+00:00

Except, now as a global admin, you can't even get to protection unless YOU YOURSELF have MS AUTHENTICATOR. There really is no way around it. I spent 7 hours yesterday working in my own personal tenancy and several customer tenant portals. This is a disaster. It doesn't help that they are constantly moving things in the admin portal.

I any case setting the STATE to DISABLED simply leaves the user accounts in the same state (requiring MFA even though modern and 2FA are both disabled on the tenant) but with NO auth method. The catch 22 is that now one can't be added with out re-enabling the policy, but no matter what method you setup as the default, MS authenticator takes precedent.

App passwords are broken - can't even be added anymore and it appears that whatever they have done to override the admin portal Modern/2FA/Per User security settings has made a mess everywhere and broken other settings in many other places.

Add to that the number of users who using any MS connected resource anywhere can accidentally end up with a "live" account associated to their work/school email, the insanity of OneDrive being almost impossible to block even in locked down AD environments, KiosK Mode in W11 lacking single APP and basically being impossible to lock down for no browser, etc. We won't even touch on the absurdity of trying to make a Windows machine actually even remotely HIPAA compliant. The forced Authenticator nonsense is basically the last straw for me.

I was a Microsoft Partner for decades. I am no longer and relish moving anything and everything that I can away from their platforms. I personally moved to a Mac ~5 years ago and will likely never own another Microsoft Desktop Operating system.

Nic Arrington 0 Reputation points

2024-04-12T13:36:14.49+00:00

This did not work. I am getting angry.

bweeks-beckerIT 0 Reputation points

2024-04-16T16:37:00.41+00:00

THANKS for this solution, I've been at my wits end for almost 2.5 weeks now, dealing with this MS authenticator 'enforcement' campagin by Microsoft.

Chris Ells 0 Reputation points

2024-10-08T22:20:59.3033333+00:00

Not a great solution, if you have to log into use it, and can't log in. I also hate that Microsoft forces you to use their proprietary authenticator app, even if you disable it as one of the multi-Factor methods. There appears to be no alternative.

Chris Ells 0 Reputation points

2024-10-08T22:27:01.1766667+00:00

Microsoft sucks.

STEVE NICHOLS 0 Reputation points

2025-03-10T17:45:08.4033333+00:00

I have none of this turned on and it still forces me to do it. I can't login anymore and bypass to get to it at this point either any longer. How fun. Stuck.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

6 additional answers

David 5 Reputation points

2023-10-06T15:37:28.56+00:00

Several people in my organisation have recently started having similar MFA issues. For some, despite having the Authenticator app setup, they don't get sent codes. They can login at office.com without any MFA prompts but can't access Windows apps like Teams.

Some users are being forced to setup Authenticator, despite other MFA methods being setup. This prevents them from logging in anywhere without setting up Authenticator. They're also not asked to setup any alternative MFA options, or asked to provide phone or email details for self service password changes.

But most users can login fine with their chosen MFA option.

System-preferred multifactor authentication is set to disabled. The default registration campaign was set to disabled but I've since tried enabling it for one test user to see if that helped. It didn't.

The legacy "per-user MFA" setting is set to disabled for all users.

So I'm seeing very inconsistent results and nothing I try changing seems to have any effect. All settings are ignored. This is extremely frustrating and is preventing some users from working properly.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
David 5 Reputation points

2023-10-13T11:33:57.9866667+00:00

I've been battling this issue for a while now and I think I've figured out what the cause is for me. Hopefully this will help others, as Microsoft's info on the matter is rather lacking.

Over the last year or so, MS have changed a couple of things relating to authentication which will have different effects depending on what type of Microsoft/Office 365 subscription you have.

The main things that effect this are whether your subscription includes Entra ID, whether this is the free or full tier of Entra ID and whether you have "Security Defaults" enabled in Entra ID. It appears that "Security Defaults" is now enabled by default.

In my case, I have a Microsoft 365 Standard subscription and this only includes Entra ID free tier. I also had "Security Defaults" enabled. With this combination, it appears that ALL standard users are FORCED to use the Authenticator app, regardless of any settings you pick. However, global admins have access to SMS and email OTP style MFA. This isn't made clear at all and in my case (as a global admin) made the issue difficult to diagnose.

With a Microsoft 365 Professional subscription (and other higher tier products) you get the full version of Entra ID (or at least a version with more features than the free one). With this and "Security Defaults" enabled, you can choose what MFA options to offer to users and they can pick which they want to use. So you can avoid users being forced to use Authenticator. But you can still force this if you wish.

With Entra ID free tier, it appears the only way to regain control of MFA is to DISABLE "Security Defaults", which MS don't recommend. After that, you can control MFA using the old "per-user MFA" settings. However, this isn't very user friendly, especially if you have a lot of users. But at least the option is there. I believe these options override the newer MFA settings configured in Entra ID. The other annoying thig about this is that the "per-user MFA" settings appear to be a deprecated feature that's being replaced by the newer Entra ID features. I'm not sure how that will affect Entra ID free tier users moving forward.

If using the "per-user MFA" settings isn't appropriate for you, then it appears the only option is to leave MFA totally disabled, which isn't ideal.

So MS have made Entra ID free tier purposely annoying and restrictive by limiting the MFA options. This forces customers to either waste lots of time manually changing the "per-user MFA" settings, decrease security by leaving MFA disabled, or spend more money by upgrading to a subscription with the full version of Entra ID.

Here's some useful links:

Feature comparison of different subscription levels, with useful info of Entra ID free tier at the bottom:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing?toc=%2Fazure%2Factive-directory%2Ffundamentals%2Ftoc.json

Disabling/Enabling "Security Defaults:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults

Using "per-user MFA settings":

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

I hope this helps other people struggling with this. If I've got any of this wrong, please comment.
Please sign in to rate this answer.

1 person found this answer helpful.
David 5 Reputation points

2023-10-13T11:38:28.3033333+00:00

I should also mention that other replies above do provide more useful info. Such as disabling the registration campaign, or limiting it to certain users. So you may need to experiment with some combinations of settings. Unfortunately MS haven't made any of this clear.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Users are being forced to use Microsoft Authenticator app

6 additional answers

Your answer