Microsoft Authenticator Different Methods

Question

I'm working on enforcing MFA for all users in our tenant, and am wondering if when a new user is prompted for "More information required", and they choose "I want to set up a different method", currently the only options are Authenticator app and Phone. I have all but voice and certificate authentication methods enabled, but only the two mentioned are available. My goal is to have a Security Key be an alternative option to the Authenticator app and Phone. Is this a possibility? (FYI, I have fully migrated from the legacy MFA)

Answer 1

To implement Security Keys as an alternative to the Authenticator app and phone in your Azure AD environment for Multi-Factor Authentication (MFA), you should follow these steps:

1. Enable FIDO2 Security Key in Azure AD:
   • Sign in to the Azure AD admin center.
   • Navigate to Azure Active Directory > Security > Authentication methods > Authentication method policy.
   • Under the FIDO2 Security Key method, select Enable.
   • Choose All users or select specific groups if you want to apply it only to certain users or groups. Mor einfo https://practical365.com/achieving-passwordless-authentication-in-azure-ad/
2. Configure Authentication Method Settings:
   • In the FIDO2 Security Key settings, you can adjust additional options such as:
     • Allowing self-service setup.
     • Enforcing attestation.
     • Key restrictions, if you only want to allow certain types of FIDO2 keys. More info https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key
3. User Registration of the Security Key:
   • The user must have at least one additional security method registered.
   • To register a Security Key, the user needs to go to https://myprofile.microsoft.com, select Security Info, and then Add method.
   • Choose Security key and follow the instructions to set up the key, either USB or NFC. Mor einfo https://support.microsoft.com/en-us/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698
4. Security and Compliance Considerations:
   • Ensure that the Security Keys are FIDO2 and Microsoft compatible.
   • Administrators can manage users' Security Keys via Azure AD and PowerShell.
   • It’s advisable to register a backup authenticator device for each service or application. Mor einfo https://practical365.com/achieving-passwordless-authentication-in-azure-ad/
5. Monitoring and Auditing:
   • Administrators can verify and audit all registered authentication methods of the users in the Azure AD admin center.

If you have any specific questions about the process or need more details, feel free to ask. And remember, if this information has been helpful, please accept the answer to continue supporting you with quality information.

Answer 2

So this "should" work according to the table in this article. It might be worth checking to see if the tokens you have support U2F, which if I recall, is required to support the token providing the second factor in the authentication stack. Double check that compatibility and let me know.