How to use Microsoft Authenticator Notification as default MFA

Stefan Vestin 5 Reputation points
2023-05-08T08:36:34.5233333+00:00

Hello,

I have a group of AzureAD users that have requires MFA when signing in. Enforcing of MFA is controlled via a Conditional Access. The Conditional Access policy enforces MFA for all cloud apps.

When they sign in it prompts them to open Microsoft Authenticator and approve the sign-in, as expected.

I have now added a secondary MFA authenticator to each user, now using a third-party authenticator app. Now when the user signs in it is prompted to type in the 6 digit code instead. The six digit codes from both Microsoft Authenticator and the third-party app works.

My question is, can I change the default MFA action to be sending an approve notification to the Microsoft Authenticator app instead of forcing the user to put in the code?

If I sign in to one of the users I don't have an option to change the default sign-in method. It says: "Default sign-in method: Authenticator app or hardware token - code."

Is there something I can do in Azure AD to control this?

Let me know if I need to provide more information.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,064 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,499 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 145K Reputation points MVP
    2023-05-08T11:07:58.81+00:00

    I would look at enforcing with Auth Strengths in the CA policy:

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-strengths

    TEST FIRST with a small group!

    0 comments No comments

  2. Stefan Vestin 5 Reputation points
    2023-05-08T21:28:51.2433333+00:00

    Thanks for the answer. I gave it a quick try but it didn't make the users get the push notification from Microsoft Authenticator automatically. It still prompts for a code. I tried Authentication strength enabling Password + Microsoft Authentication Push & Password + Software OATH Token.

    I found so far that how to fix this is the order you register your authentication methods. If you register the third-party app first and then Microsoft Authenticator, the user gets the push notifications (With the option to add the code if the push doesn't work). If you add them the other way around it will always prompt for the code.

    0 comments No comments