Share via

SMS authentication is prompting/forcing me to set up MFA despite being configured to exclude MFA-app

Andreas Bjelven 135 Reputation points
2024-02-08T13:02:59.24+00:00

Hi,

Background:

I work in a company where there are a few users who refuse to download and use the MFA-app on their phones. They only have their private phones and have not been given a work phone. How it works where I live is that the company cannot force the users to use the MFA-app unless they've given the users a work phone. So my company has asked me who works in the IT-department to set up a authentication through SMS instead.

Note: I have my own tenant which I use to lab and get hands on experience with.

Scenario:

Before applying this to my companys environment, I tried setting this up in my lab tenant. So in my lab tenant, I have set up a testuser who able to authenticate with the SMS method, see the following configuration:

First I created a user from the Entra ID and then I created a Security group called "MFA_SMS_TEST", see below:
User's image
After the group was created, I assigned my test user to the group:
User's image

After that, I went to "Microsoft Entra authentication methods" and excluded my MFA_SMS_TEST group:
User's image

After that I went to "Policies" in authentication methods", see below:
User's image

After that, I clicked on "SMS" and configured so that my MFA_SMS_TEST group would be included under the SMS authentication method:
User's image

Last, I went to the testuser and added "phone" as method:
User's image

When I try to log in to, for example, portal.outlook.com, it works and I get my SMS and the following shows:
User's image

I pressed "Skip for now" and it was no problem. I also logged in again 2 times to see if it would trigger/prompt/force me to set up MFA with download the app and scan the QR-code and all that, but it didn't. So the setup works as planned.

However, this is my problem. I did this exact set up in my companys tenant and it forces me to set up the MFA after i enter the SMS-code:
User's image

Is there something I'm missing from my configuration?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,902 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 9,850 Reputation points Microsoft Vendor
    2024-02-09T07:16:22.2366667+00:00

    Hi @Andreas Bjelven

    Thank you for posting your query on Q&A.

    For your query you have followed the correct steps to set up SMS authentication for MFA, but the result is not as expected.

    This might be issue with the conditional access policies or enabled the security defaults which is already configured in your tenant. This may lead to conflicting policies or settings that might be forcing the use of the app-based MFA, could you please verify that?

    If yes, you need to turn off the security defaults in your tenant or is there any conditional access polices is applied you can exclude the required users or groups from the conditional access policies or disable the conditional access policies which is applied to your tenant.

    If you enabled MFA for your tenant using the security defaults feature, please check here for more information.

    If you enabled MFA for your tenant using conditional access policies, you can refer here how to disable the conditional access policy.

    I hope this answer helps! If you have any further questions, please feel free to ask.

    Thanks,

    Akhilesh.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Paul Blank 1 Reputation point
    2024-03-04T20:57:11.78+00:00

    Frankly, for security reasons, I have no issue with forcing some form of MFA on Microsoft 365 users. Especially for email and OneDrive, things are getting too scary out there in the world security-wise.

    BUT Microsoft went a step further and is trying to force the use of Authenticator as opposed to SMS or voice call authentication.

    This is what I got from support today: Under that same page (Authentication Methods) go to Registration campaign, click Edit under settings and change State to Disabled.

    Now (supposedly) when Microsoft forces MFA for the account, you won't be forced to use Authenticator, but will have your choice of Authenticator, SMS or voice call verification.

    I did try this by turning on MFA in Entra for one user account, and it did work, while NOT trying to force MS Authenticator. I had set up voice call authentication and that worked.

    All that said, a user just had their phone cloned and their personal (gmail/Google in this case) account info, photos and other personal stuff stolen. Luckily they don't appear to have had their Microsoft 365 account compromised, but we changed the passwords and such anyway.

    So, while Authenticator might be the best choice, I still felt the need to give users a backup, even though it might be less secure.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.