How to use Microsoft Authenticator Notification as default MFA

Question

Hello,

I have a group of AzureAD users that have requires MFA when signing in. Enforcing of MFA is controlled via a Conditional Access. The Conditional Access policy enforces MFA for all cloud apps.

When they sign in it prompts them to open Microsoft Authenticator and approve the sign-in, as expected.

I have now added a secondary MFA authenticator to each user, now using a third-party authenticator app. Now when the user signs in it is prompted to type in the 6 digit code instead. The six digit codes from both Microsoft Authenticator and the third-party app works.

My question is, can I change the default MFA action to be sending an approve notification to the Microsoft Authenticator app instead of forcing the user to put in the code?

If I sign in to one of the users I don't have an option to change the default sign-in method. It says: "Default sign-in method: Authenticator app or hardware token - code."

Is there something I can do in Azure AD to control this?

Let me know if I need to provide more information.

Answer 1

I would look at enforcing with Auth Strengths in the CA policy:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-strengths

TEST FIRST with a small group!

Answer 2

Thanks for the answer. I gave it a quick try but it didn't make the users get the push notification from Microsoft Authenticator automatically. It still prompts for a code. I tried Authentication strength enabling Password + Microsoft Authentication Push & Password + Software OATH Token.

I found so far that how to fix this is the order you register your authentication methods. If you register the third-party app first and then Microsoft Authenticator, the user gets the push notifications (With the option to add the code if the push doesn't work). If you add them the other way around it will always prompt for the code.