Mix Per-User MFA and CA MFA results in only Phone being available for MFA registration.

Said A 706 Reputation points
2023-02-06T15:35:18.79+00:00

Hello everyone,

I had Per-User MFA for a while and I was able to limit MFA registration for a subset of users.

Any user I include in Per-User MFA will be prompted for MFA registration and will be prompted by default to setup Microsoft Authenticator.

I enabled MFA for another subset of users using CA policies.

Now, all users will only be prompted to setup MFA using Phone.

I have check the following so far:

  • Per-User MFA service settings > Methods available to users > All checked

Is there anything controlling the AutheN methods available tenant-wide? And, why would enabling MFA using CA would limit the AuthN methods available for users during registration?

Thank you!

Regards,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,428 questions
Accepted answer
  1. Andy David - MVP 141.2K Reputation points MVP
    2023-02-06T16:53:28.7133333+00:00

    Hi there,

    Seems like different user groups are involved here, but per-user and CA policies do not mix. I have seen nothing but trouble with that. I would disable the per-user settings and use just the CA policies if you can.
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

    User's image

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2023-02-09T21:02:33.3233333+00:00

    @Said A

    Thank you for your detailed follow up and I apologize for the delayed response!

    From your lab scenario - since all the new users are prompted to register for MFA via the Microsoft Authenticator App during their first-time signing in.

    • Can you see if Combined Registration is enabled for both your Test tenant and Prod tenant, since this could be affecting what users are allowed to setup.

    From your Authentication Methods screenshot, I noticed that the Microsoft Authenticator method isn't enabled.

    How policies work together:

    Because the MFA settings aren't synchronized between the policies, this allows administrators to manage each policy independently. Azure AD respects the settings in all of the policies so a user who is enabled for an authentication method in any policy can register and use that method. To prevent users from using a method, it must be disabled in all policies.

    Here's an example where a user who belongs to an accounting group wants to register Microsoft Authenticator.

    • The registration process first checks the Authentication methods policy. If the Accounting group is enabled for Microsoft Authenticator, the user can register it.
    • If not, the registration process checks the legacy MFA policy.
    • If the user can't register Microsoft Authenticator based on either of those policies, the registration process checks the legacy SSPR policy. In that policy too, a user can register Microsoft Authenticator if the user is enabled for SSPR and any of the Mobile app settings are enabled.

    Additional Link - How to migrate MFA and SSPR policy settings to the Authentication methods policy for Azure AD (preview)

    I hope this helps!

    1 person found this answer helpful.