Changes to the Registration campaign feature in Azure AD

Matthew John Earley BSc (hons) 10 Reputation points
2023-06-16T09:53:11.3666667+00:00

Publicly switched telephone networks (PSTN) such as SMS and voice authentication are the weakest forms of MFA. To help your users move away from them we are introducing changes to the Microsoft managed state of the Registration campaign feature in Azure Active Directory.

When this will happen:

July 10, 2023

How this affects your organization:

Starting July 10th, 2023, users in your organization that are relying on SMS and voice for MFA will be prompted to use the Microsoft Authenticator app. They can skip this prompt for a maximum of 3 times, after which registration of the app will be required.

What you can do to prepare:

We urge you to motivate your users to stop using SMS and voice for MFA. However, if some of your users need more time you can exempt them for now. Sign in as Global Administrator or Authentication Policy Administrator and go to Azure AD > Security > Authentication methods > Registration campaign and exclude these users.

[Question]
If your current in process of switching over from Legacy Multifactor Authentication to authentication methods policy how will this affect end users?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,668 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luc van den Ende 15 Reputation points Microsoft Employee
    2023-10-02T23:53:49.93+00:00

    The changes we have introduced relate to the registration campaign feature. For any organization with the state set to Microsoft managed, we are enabling the campaign for users that are fully dependent on PSTN methods (SMS and voice) for their MFA. Those users will then be prompted to start using the Microsoft Authenticator app, a faster and safer way to sign in.

    These changes have deployed to most organizations, with the deployment to remaining organizations happening before October 20, 2023. It is possible to exclude users and disable the feature altogether, for which I like you to refer to our public documentation: https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-registration-campaign

    There are no plans to discontinue SMS and voice.

    3 people found this answer helpful.
  2. Akshay-MSFT 16,126 Reputation points Microsoft Employee
    2023-06-19T06:32:42.8133333+00:00

    @Matthew John Earley BSc (hons)

    Thank you for posting your query on Microsoft Q&A, from the above description I could see that the post (Publicly switched telephone networks (PSTN) such as SMS and voice authentication are the weakest forms of MFA)you are referring to is from 2020, suggesting to move from Phone (PSTN) based MFA To authenticator app but does not enforce any change.

    We already have authenticator and token based authentication now (as its been 3 years since this was posted). So no actions are needed from Org Admins on this.

    For any upcoming deprecation please keep yourself posted on What's deprecated in Azure Active Directory?

    User's image

    • For any upcoming changes please keep yourself posted on What's new in Azure Active Directory?
    • In order to use registration campaign of all pre-reqs following are meant to be fulfilled:
      • MFA Registration Policy: Users will need to be enabled for Notification through mobile app.
      • Authentication Methods Policy: Users will need to be enabled for the Authenticator app and the Authentication mode set to Any or Push. If the policy is set to Passwordless, the user won't be eligible for the nudge. For more information about how to set the Authentication mode, see Enable passwordless sign-in with Microsoft Authenticator.
      As described above if you have set Authentication Methods "Migration in Progress" state then, legacy MFA policy will be taking precedence, however SSPR and first factor would go through Authentication method.

      Users will not be nudged, if using legacy MFA.

      User's image Hope this answers your question. Please do let me know if you have any further queries by responding in the comments section.

    Please do let me know if you have any queries by responding in the comments section.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    1 person found this answer helpful.
  3. James Tong 5 Reputation points
    2023-09-09T19:36:12.95+00:00

    The setting for the Registration campaign is disabled. Yet a few users are still getting prompt to set up the Microsoft authenticator. I don't how that is even possible.

    1 person found this answer helpful.
    0 comments
  4. Frode Bjørshol 0 Reputation points
    2023-10-06T10:04:08.29+00:00

    I have enabled "Limited number of snoozes" but still users can postpone Authenticator registration unlimited times. Screenshot 2023-10-06 at 11.49.51

  5. T.D 0 Reputation points
    2023-11-20T11:20:09.4266667+00:00

    @Matthew John Earley BSc (hons)

    Will users with registered FIDO keys also be affected by this registration campaign - will they be prompted to install the Microsoft Authenticator?

    0 comments