Turn off certain MFA Methods for new users only

Question

Is there a possibility of turning authentication via Phone call off for new registered users?

 

So only MFA via the Authenticator is possible for new users only?

I don’t want users that already have Phone Call as a choice to be affected.

BUT new users must use the Authenticator App.

Answer 1

Hi @Mike van Rijn ,

If you go to Azure Active Directory > Security > Authentication methods , you should be able to enable Microsoft Authenticator for all of your users while enabling voice call and SMS for a specific group of users.

There you can include or exclude groups for those MFA methods.

Note that if there are multiple methods available, the users can select any of them and there isn't a way to configure a default method. That said, with SSPR or security defaults enabled, the Authenticator will be prompted as the system-preferred method. Also, if you make sure that system-preferred MFA is set to Enabled, the system should choose the most secure method and prefer Authenticator over less secure methods like SMS. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication

If you have a Conditional Access Policy to Require MFA for all Users, this may add complications as well. In the Grant section of the Policy, if it is set to "Require multifactor authentication" or "Require Authentication Strength" > "Multifactor authentication", both of these require SMS so a phone is set up during registration.

Troubleshoot self-service password reset - Azure Active Directory - Microsoft Entra | Microsoft Learn

Let me know if this is what you are looking for.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions. Otherwise let me know if you have further questions.