What is the smoothest way to stop using SMS for MFA and transition users to Authenticator app?

Pitawat 326 Reputation points

My organization currently allows FIDO2 Security Key, Microsoft Authenticator app, SMS, and Email OTP as authentication methods. I, as an admin, would like to move away from SMS and Email OTP as I think they are the least secure way.

I want this transition to be as smooth as possible for the users. Is there a recommended way to do this? Current settings are in the screenshots below.

In Azure Portal:User's image

In account.activedirectory.windowsazure.com site:

User's image

I have also noticed that Azure is consolidating the MFA management to a single point, according to this article. Is it possible to remove SMS and Email OTP, along with migrating to Authentication methods policy in a single run?

Can I just disable and uncheck the SMS/Text message options in both places and all registered mobile phone numbers will be removed and Azure will ask users that don't have Authenticator app registered to register their devices next time they log in?

Any guide or recommendations are appreciated.

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,598 questions
{count} votes

1 answer

Sort by: Most helpful
  1. !Daniel Bradley 906 Reputation points MVP

    Hi @Pitawat !

    If you are looking for the smoothest way, the best thing you can do is communicate clearly with your staff.

    You can also use the Microsoft Entra portal to change the default MFA method for users who HAVE setup the Authenticator app already but have SMS or other as the default: How to Change the Default MFA Method for Microsoft 365 Users

    You should also take advantage of the Registration Campaign feature to encourage users to set up the Authenticator app. That being said, communicate to your staff first and set their expectations. Use screenshots!!

    You can also use the Microsoft Entra portal to identify which users have the Authenticator setup and configured as default already:

    1. Login to Microsoft Entra.
    2. Expand Protection and select Authentication methods.
    3. Under Monitoring, select User registration details.
    4. Extract users who haven't configured MFA, haven't configured the Authenticator app or don't have the authenticator app as default.

    You can avoid confusion by only communicating to those who need to be communicated too.

    Thank you

    Blog: https://ourcloudnetwork.com/

    LinkedIn: https://www.linkedin.com/in/danielbradley2/

    0 comments No comments