What is the smoothest way to stop using SMS for MFA and transition users to Authenticator app?

Question

What is the smoothest way to stop using SMS for MFA and transition users to Authenticator app?

Pitawat 326

My organization currently allows FIDO2 Security Key, Microsoft Authenticator app, SMS, and Email OTP as authentication methods. I, as an admin, would like to move away from SMS and Email OTP as I think they are the least secure way.

I want this transition to be as smooth as possible for the users. Is there a recommended way to do this? Current settings are in the screenshots below.

In Azure Portal: User's image

In account.activedirectory.windowsazure.com site:

User's image

I have also noticed that Azure is consolidating the MFA management to a single point, according to this article. Is it possible to remove SMS and Email OTP, along with migrating to Authentication methods policy in a single run?

Can I just disable and uncheck the SMS/Text message options in both places and all registered mobile phone numbers will be removed and Azure will ask users that don't have Authenticator app registered to register their devices next time they log in?

Any guide or recommendations are appreciated.

Thank you.

JamesTran-MSFT 34,226 Reputation points Microsoft Employee

2023-11-14T20:34:30.0866667+00:00

@Pitawat

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

JamesTran-MSFT 34,226 Reputation points Microsoft Employee

2023-11-14T20:34:30.0866667+00:00

@Pitawat

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Hi @Pitawat !

If you are looking for the smoothest way, the best thing you can do is communicate clearly with your staff.

You can also use the Microsoft Entra portal to change the default MFA method for users who HAVE setup the Authenticator app already but have SMS or other as the default: How to Change the Default MFA Method for Microsoft 365 Users

You should also take advantage of the Registration Campaign feature to encourage users to set up the Authenticator app. That being said, communicate to your staff first and set their expectations. Use screenshots!!

You can also use the Microsoft Entra portal to identify which users have the Authenticator setup and configured as default already:

Login to Microsoft Entra.
Expand Protection and select Authentication methods.
Under Monitoring, select User registration details.
Extract users who haven't configured MFA, haven't configured the Authenticator app or don't have the authenticator app as default.

You can avoid confusion by only communicating to those who need to be communicated too.

Thank you
Daniel

Blog: https://ourcloudnetwork.com/

LinkedIn: https://www.linkedin.com/in/danielbradley2/

What is the smoothest way to stop using SMS for MFA and transition users to Authenticator app?

1 answer

Activity