Have a small non-profit tenant of around 100 users, and this includes the free version of Azure AD. Because the users are charity volunteers, MFA is desirable but implementing it has more challenges than a corporate environment. The forthcoming Security Defaults enabling by Microsoft has brought this matter back into focus.
Security Defaults does not appear to support MFA by text/call (unless you have set the app up, and then click a link that you can't currently use it when you login - where the text/call options are given by way of backup). I have a small number of users who potentially don't have a Smartphone (or may not want to use their own for this purpose), and one who doesn't use a mobile at all. But this number is so small, that it is not worth upgrading our AD at a cost of £thousands/pa to a paid for version.
We have some GUEST users too who are members of shared groups, and it is my understanding Security Defaults will be enforced on them too (can anyone confirm for certain?), and that could prove a challenge.
I'm thinking I have the following options:
- Decline to implement Security Defaults, and go for legacy-per-user MFA - but some articles suggest this isn't recommended but don't explain precisely why. Also, I can't find any indication whether the recently notified change "On 30 September 2024, the ability to manage authentication methods in the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies will be retired" means legacy-per-user MFA itself will be deprecated. Can anyone confirm?
- Implement Security Defaults and provide hardware OTP tokens for any exceptions. Does anyone have any recommendations for tokens that are cheap/reputable and work well with Azure AD?
- Implement Security Defaults and use something like Authy (rather the the Microsoft Authenticator App) for the exceptions where the user can run it on a Windows or MacOS machine, so there is no requirement for any mobile/smartphone. Tried this myself and it seems to work well.
Any advice appreciated.