"Your organization requires you to use Microsoft Authenticator"

Cloud_Geek_82 811 Reputation points

Hi All,

There is an organization that has a tenancy in Microsoft 365.

Security Default is disabled.

No Conditional Policy is applied.

I log in as a Global Admin and getting this.

Screenshot 2023-10-14 073355

I did a web search and in most articles it is advised that it comes from Authentication Methods \ Registration Campaign - Enabled.

However, I checked few other tenancies and they all have Authentication Methods \ Registration Campaign - Enabled but Microsoft Authenticator is not required when I log in to their tenancy portals.

Could you please help to find out where it comes from and how to disable it.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,624 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,795 questions
{count} votes

2 answers

Sort by: Most helpful
  1. JohnNeu 20 Reputation points

    Go to https://entra.microsoft.com as your administrator ID. Left pane.. expand PROTECTION > AUTHENTICATION METHODS > ..right pane on left side.. REGISTRATION CAMPAIGN > ..right side ~1/3 down.. Settings: [EDIT] , limited number of snoozes: DISABLED.

    Now users can just ignore/snooze installing the “requirement” for MFA application.

    I suggest you manually enable MFA on your users, though. Also set a quarterly calendar reminder to review the MFA settings to ensure you didn't forget the new-user step to activate MFA. The user can supply a few authentication methods, such as SMS text to cell phone, a phone-call, or email method. Note that you can have it voice-call the user's MS Teams phone or email MS Outlook -- however, if he/she needs to authenticate to both Teams and Outlook, well, he/she is out of luck! So, you essentially must have the user also input a home phone and/or home email. I have a couple users who refuse to use a home phone or home email -- my security audit concerns require MFA, so for those resistant users I input our IT phone as the authentication method (you can use the same phone for multiple accounts) and those users must call me and ask me to give them the authentication code.
    Here's how to manually enable MFA on a user:
    Go to https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx which also is accessed from admin.microsoft.com > USERS > ACTIVE USERS > ..at top MULTI-FACTOR AUTHENTICATION >>>
    ..at the top.. USERS > select user whose setting is currently Disabled for MFA > ENABLE > [ENABLE MULTI-FACTOR AUTHENTICATION] > [CLOSE] > ..again click same user.. [ENFORCE] > [ENFORCE MULTI-FACTOR AUTH] > [CLOSE]


    2 people found this answer helpful.

  2. Krzysztof Góral 0 Reputation points

    I changed System-preferred multifactor authentication to Disabled and it helpedUser's image