Is there a way to prevent users from adding new MFA devices without assistance?

Question

Is there a way to prevent users from adding new MFA devices without assistance?

Tom Collins 10

In our tenant, users can go to myaccount.microsoft.com, go to Security Info, and add a new sign in method, including a new device to receive SMS, etc. Is there a way to prevent users in our tenant from doing this? Ideally they would have to have someone on the service desk do this on their behalf. Thanks.

Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-02-08T08:55:19.69+00:00

@Tom Collins Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Brian Grigg 0 Reputation points

2023-09-14T23:43:18.24+00:00

Tom, I was curious if you found a better answer to what Vasil had suggested?

3 answers

Your answer

Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-02-08T08:55:19.69+00:00

@Tom Collins Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Brian Grigg 0 Reputation points

2023-09-14T23:43:18.24+00:00

Tom, I was curious if you found a better answer to what Vasil had suggested?

Answer 1

Rupert Murray 10

Here is what I do.

I create a MFA group on the AD. After I (or they) have registered their security keys or apps etc put them into this group

Then Create a policy in the conditional access area of entra.

I call mine block security entries. target resource = the group you have made

In target resources - Choose user actions and check the "Register Security Information "

In Access control - choose block access.

Sync the AD and if they are in the group they can't tamper - Hurrah :D

If you or they need future access - simply take them out of this group, sync. wait a few mins and you can access again under their credentials.

Abhishek Shah 0 Reputation points

2024-04-24T14:23:23.01+00:00

Isn't there a way where users can add MFA but then it goes to an admin for approval?

Because in a large organization, it is very time consuming to take users out of the group, wait for the sync, let the user complete MFA, and again add the user to the group. And do this over and over every time for each user.

Answer 2

Vasil Michev 119.5K MVP Volunteer Moderator

No, you cannot prevent them from managing their own MFA methods, best you can do is restrict which methods they can use.

Answer 3

Rupert Murray 10

Yes there is a way you can do this in Entra. reply back if you are still having the problem

The Bob 5 Reputation points

2023-12-05T15:39:56.3033333+00:00

Please share how this is accomplished
Jean-Marc Bonenfant 0 Reputation points

2024-04-02T20:44:30.3766667+00:00

I would also like to know how to do this.
Rupert Murray 10 Reputation points

2024-04-03T09:44:32.7433333+00:00

@Jean-Marc Bonenfant @The Bob (sorry the delay )

Here is what I do.

I create a MFA group on the AD. After I (or they) have registered their security keys or apps etc put them into this group

Then Create a policy in the conditional access area of entra.

I call mine block security entries. target resource = the group you have made

In target resources - Choose user actions and check the "Register Security Information "

In Access control - choose block access.

Sync the AD and if they are in the group they can't tamper - Hurrah :D

If you or they need future access - simply take them out of this group, sync. wait a few mins and you can access again under their credentials.

Share via

Is there a way to prevent users from adding new MFA devices without assistance?

3 answers

Your answer