Share via

Some of our users are prompted to enroll/user Microsoft Authenticator when they login to 3rd party app configure with Azure AD SSO.

Sampradicon-0473 0 Reputation points
2024-01-26T19:52:25.88+00:00

It seems like our users are "randomly" asked to use Microsoft Authenticator (OTP).

There are more than one ways where I can configure it:

  1. Microsoft Entra admin center: Home > MyCompany > Devices | Overview ... > Authentication methods | policies. Current config is set to "Enable" all users.
  2. Microsoft 365 admin center: Home > setup > Configure multifactor authentication (MFA). Current config is set to "Completed". My questions:
  3. Is there a way to block Microsoft from asking users to user 2FA? but still require 2fa for privileged users like all Azure Admin roles?
  4. In which of the screens below I should disable it?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-01-29T23:36:45.28+00:00

    Hi @Sampradicon-0473 ,

    To require MFA only for privileged users, you can create a Conditional Access policy to enforce MFA for those accounts. https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa

    Note that when you start using Conditional Access you should "Disable" all of your users the old way in the service portal (per user MFA) or admin center. Conditional Access doesn't flip the enable/disable/enforce flag. If using Conditional Access then they should all be disabled as per user MFA overrides CA.

    If the MFA has been enabled through the MFA service portal, then you can go to the MFA service portal and disable the MFA for those users there (Entra ID > Per-user MFA > https://account.activedirectory.windowsazure.com/ MFA portal) . User's image

    Anything in the admin center should be immediately reflected in the regular MFA service portal, and vice versa.

    If MFA is disabled everywhere, then you should look at self-service password reset settings . When you disable Self-Service Password Reset, the prompt should disappear.

    Let me know if this helps and if you still face this issue.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions. Otherwise let me know if you have further questions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.