enabled MFA authentication methods in entra don't match add-authentication methods dropdown in aka.ms/mfasetup

Question

Why are my users able to add authentication methods that I have not enabled in entra? Thank you in advance. Enabled methods:

Add Method UI:

Answer 1

While i did ensure that PerUser MFA was disabled for all users in Azure AD, I neglected to turn off all the PerUser settings. I made my PerUser MFA - Service Settings screen look like this below and now my users can only add methods enabled in Entra. Looking forward to a single pane of glass to manage AzureAD, Entra and any other location where settings might be located - one that doesn't have settings moving from UI to UI from month to month.

Answer 2

Hi @19641845 , Thanks for reaching out. I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Issue: Users were able to add MFA authentication methods even those authentication methods are disabled in User Service settings.

Resolution: Methods available to users' settings were missed while ensuring that PerUser MFA was disabled for all users in Azure AD.

Disable verification methods allow users now to only add methods enabled in Entra.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#app-passwords

Also, thanks for sharing the feedback to keep all these pages to easily access so verification can be done easily. I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

Thanks,

Shweta