Azure - MFA Method details moved or hidden for Authentication Administrators role

Question

Azure - MFA Method details moved or hidden for Authentication Administrators role

Nicola Swan 20

Our helpdesk team have been assigned the Authentication Administrator roles in Azure to allow them to update MFA methods for our users who call in for help.

Recently the view has changed, and hides details like registered phone numbers, or puts them under the "non useable methods" fields, despite that being their default method for completing MFA.

Has anyone else seen this issue before, or is experiencing it now? What is the solution to revert back to a previous view where all methods registered were listed, whether they were used or not?

We have made no changes to our MFA settings for the institution, so unsure where this change came from without any notification.

Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-10T10:36:56.2733333+00:00

Hello @Nicola Swan
I understand that you are encountering changes in managing Multi-Factor Authentication methods, causing registered phone numbers to either be hidden or listed under the "non-usable methods" section, even though they are set as the default method for completing MFA.

To revert to the previous view, where all registered methods are listed regardless of whether they are used or not, administrators can view user authentication methods in the Microsoft Entra admin center. Usable methods are displayed first, followed by non-usable methods.

Authentication methods may appear as non-usable for various reasons. Methods that are no longer available due to the requirement to re-register multi-factor authentication will also be listed here.
For more information, please refer to this document: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods?source=recommendations#usable-and-nonusable-methods
I would like to understand which methods are showing up under the non-usable authentication methods, other than your registered phone number. Could you please attach a screenshot of the non-usable authentication methods currently displayed?

Additionally, please refer to the following link for more details: https://learn.microsoft.com/en-us/answers/questions/1708290/authentication-methods-and-authentication-administ

Do let us know if you any further queries.
Renno East 5 Reputation points

2025-03-11T13:20:58.83+00:00

On the left, the Authentication Administrator role view (in white); on the right, the Global Admin role view. The same issue is also affecting our helpdesk team, who can no longer view all authentication methods. Has there been a recent change to role permissions? How can we restore full authentication method visibility without granting additional privileged roles?
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-18T10:15:47.4866667+00:00

Hello @Nicola Swan
Based on your Query, If the user does not verify their registration and, for some reason, returns to the previous page or skips the process, it will appear under the "non-usable authentication methods" tab in their profile. This is dependent on the verification process and registration, not on the view of the authentication administrator or global administrator. The global administrator has more privileges and can manage authentication methods, whereas the authentication administrator can only view users, not other admin accounts.
Do let us know if you any further queries.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-19T08:27:20.7233333+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-20T08:47:31.5533333+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
Nicola Swan 20 Reputation points

2025-03-20T14:11:42.69+00:00

Hi Harshitha

My setup is displaying in exactly the same was as Renno East above. The phone number method, though working fine before and since this change, is showing as non-usable for our Helpdesk team.
Fedeles, Catalin 5 Reputation points

2025-03-24T15:23:14.13+00:00

We are experiencing the same issue and do not want to upgrade the Help Desk members to Global Admins.
Michael7140hz 5 Reputation points

2025-03-24T21:23:44.3166667+00:00

Same issue here. No changes to existing users that have the auth admin role. They were able to see details fine before, but not now. They can right click and see details or edit as needed, but not all details are shown as before. I have opened a ticket on this issue and troubleshooting, but as I have found others with this issue, I doubt it is just something in my tenant.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-25T11:09:30.8+00:00

Hello @Nicola Swan
I have tested the scenario and found similar results in my tenant as well. Therefore, I believe the recent changes may have been updated in the format you are currently seeing.
Do let us know if you any further queries.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-26T08:13:18.5366667+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-27T04:40:31.8866667+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
PhilChaney-5005 0 Reputation points

2025-03-27T17:01:20.17+00:00

We are seeing the exact same behavior in our tenant. Our Helpdesk team who have the Authentication Administrator role is affected in the same manner stated by all others in this thread. Please investigate/escalate this for a resolution.
BrianBear 0 Reputation points

2025-03-27T18:07:13.8733333+00:00

adding our tenant to this behavior as well - same scenario - helpdesk users are in the Authentication Administrator role, this needs to be fixed
PhilChaney-5005 0 Reputation points

2025-03-27T18:44:10.7633333+00:00

I will add that it does appear to be only the Phone number (SMS) method that appears involved, as it indicates "Non-usuable" for the Authentication Administrator role, but shows properly for Global Admin.
Nicola Swan 20 Reputation points

2025-03-28T14:52:17.9+00:00

Hi @Harshitha Eligeti

Ideally along with the others in this thread we would like this escalated, the point of the role of authentication administrator in our org need to be able to see and understand this information. Showing SMS in the "unusable" field when it's the primary use of authenticating for many users is causing confusion. Can it be looked into why this change was made, and how it can be reverted?

thanks
Michael7140hz 5 Reputation points

2025-04-01T16:05:30.67+00:00

In line with everyone else, it is just the phone auth that shows as "Non-usable authentication methods". I have added Authenticator and Passkeys which show up as Usable. I know SMS is not the most secure, but for a large majority of people, this is the easiest way to get them to use MFA. I had opened a ticket with support, it was transferred to the Azure team, then radio silence. Will be talking with my CSAM on this issue to get clarity.
PhilChaney-5005 0 Reputation points

2025-04-01T23:02:14.6866667+00:00

Thank you @Michael7140hz I believe it's something specific to the Authentication Administrator role, though I haven't tested Privileged Authentication Administrator to see if the results are the same. Definitely showing correctly as GA. I really hope your conversation with your CSAM causes some traction.
Michael7140hz 5 Reputation points

2025-04-02T16:00:18.6566667+00:00

Well, I did some testing with CSAM and another resource this morning. The issue we discovered is that any other role assigned with Authentication Administrator will cause the Phone Number method to show as Non-usable (did not test all other roles, but a custom one and message center reader). When stripped down to only Auth Admin role, does the Phone Number method show up as intended. I have sent an update to the support folk that are on my ticket, so perhaps that might get some traction as to why it does that.
Leon Grolig 0 Reputation points

2025-04-04T09:41:42.6233333+00:00
We experience the same issue with our helpdesk.
Me and my colleagues have different Azure admin accounts and are using the authentication administrator role.

I have global reader rights, but me colleagues do not, due to security measures.

When viewing my own user account, I can see both my phone number and iPhone as authentication methods.

However, my colleagues can only see the iPhone and not the phone number, even though they have the same roles as me.

This issue occurs for multiple users, especially for old users, while new users do not face this problem. New users can be viewed full

The issue started back in January, and there was a similar case reported on Microsoft forums since December.

There have been no changes in configuration, roles, or policies since the implementation of conditional access two years ago.

In the meantime I noticed, that the identities of my colleagues facing the problem are shwn as "phone" while mine and the accounts with no problems are sing as "<name of my company>.onmicrosoft.com".

1 answer

Your answer

Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-10T10:36:56.2733333+00:00

Hello @Nicola Swan
I understand that you are encountering changes in managing Multi-Factor Authentication methods, causing registered phone numbers to either be hidden or listed under the "non-usable methods" section, even though they are set as the default method for completing MFA.

To revert to the previous view, where all registered methods are listed regardless of whether they are used or not, administrators can view user authentication methods in the Microsoft Entra admin center. Usable methods are displayed first, followed by non-usable methods.

Authentication methods may appear as non-usable for various reasons. Methods that are no longer available due to the requirement to re-register multi-factor authentication will also be listed here.
For more information, please refer to this document: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods?source=recommendations#usable-and-nonusable-methods
I would like to understand which methods are showing up under the non-usable authentication methods, other than your registered phone number. Could you please attach a screenshot of the non-usable authentication methods currently displayed?

Additionally, please refer to the following link for more details: https://learn.microsoft.com/en-us/answers/questions/1708290/authentication-methods-and-authentication-administ

Do let us know if you any further queries.
Renno East 5 Reputation points

2025-03-11T13:20:58.83+00:00

On the left, the Authentication Administrator role view (in white); on the right, the Global Admin role view. The same issue is also affecting our helpdesk team, who can no longer view all authentication methods. Has there been a recent change to role permissions? How can we restore full authentication method visibility without granting additional privileged roles?
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-18T10:15:47.4866667+00:00

Hello @Nicola Swan
Based on your Query, If the user does not verify their registration and, for some reason, returns to the previous page or skips the process, it will appear under the "non-usable authentication methods" tab in their profile. This is dependent on the verification process and registration, not on the view of the authentication administrator or global administrator. The global administrator has more privileges and can manage authentication methods, whereas the authentication administrator can only view users, not other admin accounts.
Do let us know if you any further queries.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-19T08:27:20.7233333+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-20T08:47:31.5533333+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
Nicola Swan 20 Reputation points

2025-03-20T14:11:42.69+00:00

Hi Harshitha

My setup is displaying in exactly the same was as Renno East above. The phone number method, though working fine before and since this change, is showing as non-usable for our Helpdesk team.
Fedeles, Catalin 5 Reputation points

2025-03-24T15:23:14.13+00:00

We are experiencing the same issue and do not want to upgrade the Help Desk members to Global Admins.
Michael7140hz 5 Reputation points

2025-03-24T21:23:44.3166667+00:00

Same issue here. No changes to existing users that have the auth admin role. They were able to see details fine before, but not now. They can right click and see details or edit as needed, but not all details are shown as before. I have opened a ticket on this issue and troubleshooting, but as I have found others with this issue, I doubt it is just something in my tenant.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-25T11:09:30.8+00:00

Hello @Nicola Swan
I have tested the scenario and found similar results in my tenant as well. Therefore, I believe the recent changes may have been updated in the format you are currently seeing.
Do let us know if you any further queries.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-26T08:13:18.5366667+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-03-27T04:40:31.8866667+00:00

Hello @Nicola Swan
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back we are happy to help.
PhilChaney-5005 0 Reputation points

2025-03-27T17:01:20.17+00:00

We are seeing the exact same behavior in our tenant. Our Helpdesk team who have the Authentication Administrator role is affected in the same manner stated by all others in this thread. Please investigate/escalate this for a resolution.
BrianBear 0 Reputation points

2025-03-27T18:07:13.8733333+00:00

adding our tenant to this behavior as well - same scenario - helpdesk users are in the Authentication Administrator role, this needs to be fixed
PhilChaney-5005 0 Reputation points

2025-03-27T18:44:10.7633333+00:00

I will add that it does appear to be only the Phone number (SMS) method that appears involved, as it indicates "Non-usuable" for the Authentication Administrator role, but shows properly for Global Admin.
Nicola Swan 20 Reputation points

2025-03-28T14:52:17.9+00:00

Hi @Harshitha Eligeti

Ideally along with the others in this thread we would like this escalated, the point of the role of authentication administrator in our org need to be able to see and understand this information. Showing SMS in the "unusable" field when it's the primary use of authenticating for many users is causing confusion. Can it be looked into why this change was made, and how it can be reverted?

thanks
Michael7140hz 5 Reputation points

2025-04-01T16:05:30.67+00:00

In line with everyone else, it is just the phone auth that shows as "Non-usable authentication methods". I have added Authenticator and Passkeys which show up as Usable. I know SMS is not the most secure, but for a large majority of people, this is the easiest way to get them to use MFA. I had opened a ticket with support, it was transferred to the Azure team, then radio silence. Will be talking with my CSAM on this issue to get clarity.
PhilChaney-5005 0 Reputation points

2025-04-01T23:02:14.6866667+00:00

Thank you @Michael7140hz I believe it's something specific to the Authentication Administrator role, though I haven't tested Privileged Authentication Administrator to see if the results are the same. Definitely showing correctly as GA. I really hope your conversation with your CSAM causes some traction.
Michael7140hz 5 Reputation points

2025-04-02T16:00:18.6566667+00:00

Well, I did some testing with CSAM and another resource this morning. The issue we discovered is that any other role assigned with Authentication Administrator will cause the Phone Number method to show as Non-usable (did not test all other roles, but a custom one and message center reader). When stripped down to only Auth Admin role, does the Phone Number method show up as intended. I have sent an update to the support folk that are on my ticket, so perhaps that might get some traction as to why it does that.
Leon Grolig 0 Reputation points

2025-04-04T09:41:42.6233333+00:00

We experience the same issue with our helpdesk.
Me and my colleagues have different Azure admin accounts and are using the authentication administrator role.

I have global reader rights, but me colleagues do not, due to security measures.

When viewing my own user account, I can see both my phone number and iPhone as authentication methods.

However, my colleagues can only see the iPhone and not the phone number, even though they have the same roles as me.

This issue occurs for multiple users, especially for old users, while new users do not face this problem. New users can be viewed full

The issue started back in January, and there was a similar case reported on Microsoft forums since December.

There have been no changes in configuration, roles, or policies since the implementation of conditional access two years ago.

In the meantime I noticed, that the identities of my colleagues facing the problem are shwn as "phone" while mine and the accounts with no problems are sing as "<name of my company>.onmicrosoft.com".

Answer 1

Harshitha Eligeti 4,385 Microsoft External Staff Moderator

Hello @Nicola Swan, @Renno East, @Michael7140hz, @PhilChaney-5005, @BrianBear, @Fedeles, Catalin,
Multiple customers reported this issue through support tickets. We worked closely with our engineering team to address the behavior, and a fix has now been released. I tested this in my tenant and can confirm that when an authenticator administrator user checks a user's authentication methods, the phone number method now appears under "Usable authentication methods."

I request you to test this again and let me know if the issue persists. If so, I will follow up with our PG team for further investigation.

PhilChaney-5005 0 Reputation points

2025-04-03T20:31:13.2466667+00:00

I had our Helpdesk team test this and we are NOT seeing any change with this behavior so far.
Leon Grolig 0 Reputation points

2025-04-04T09:46:44.3433333+00:00

It seems to work for us. Thank you.
PhilChaney-5005 0 Reputation points

2025-04-04T16:17:16.11+00:00

@Leon Grolig Since Global Reader is very similar to Global Admin, it's possible that this is not a true test to determine if this has been resolved for users with only the Authentication Administrator role or Authentication Administrator and a combination of other roles to achieve a desired group of permissions without giving the user Global Administrator or Global Reader permissions.
Leon Grolig 0 Reputation points

2025-04-07T09:19:10.66+00:00

@PhilChaney-5005
I have to correct myself. Our helpdesk isnt using the global reader role. They only are assigned to the Authentication Administrator. The only person wiht both roles was me.
But it is working fine for them again.
PhilChaney-5005 0 Reputation points

2025-04-07T14:24:39.4733333+00:00

Can anyone else confirm they have seen a resolution. Our Helpdesk staff still see the same behavior and I need to determine if there is something else involved. Thanks!
BrianBear 0 Reputation points

2025-04-07T19:32:00.09+00:00

our helpdesk can now see the phone number under the usable method section, however it is still masked except the last 2 digits even clicking ... and viewing
PhilChaney-5005 0 Reputation points

2025-04-07T20:09:08.5466667+00:00

Thank you @Harshitha Eligeti @BrianBear and @Leon Grolig Our Helpdesk has now reported they are able to see it as expected, so perhaps a slow rollout for the fix. I also confirmed that they have always seen the number masked except for the last two digits.
Leon Grolig 0 Reputation points

2025-04-08T05:29:49.0133333+00:00

PhilChaney-5005
It seems that our helpdesk is fine with only seeing the last two digets. They did see the whole number in the past tho.
Harshitha Eligeti 4,385 Reputation points Microsoft External Staff Moderator

2025-04-08T06:16:57.58+00:00

Hello @Leon Grolig • @PhilChaney-5005
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
BrianBear 0 Reputation points

2025-04-08T12:36:40.56+00:00

I concur with Leon - our HD users with the Authentication Administrator role were able to see the full unmasked number before this. Now it's only those with Global Admin that can see the full unmasked number. We'll note that with our HD users.
PhilChaney-5005 0 Reputation points

2025-04-08T16:28:49.2433333+00:00

Thank you @Leon Grolig @BrianBear - I had thought the same so I found it unusual that our Helpdesk said it was masked and they believed it was previously. They are fine with it, but if it's something that should be investigated further, then maybe this is not 100% resolved after all @Harshitha Eligeti

Share via

Azure - MFA Method details moved or hidden for Authentication Administrators role

1 answer

Your answer