Share via

Azure MFA User Registration Authentication Methods

prunyan 1 Reputation point
2020-11-06T19:11:51.88+00:00

Our company is in the process of having users self-register for Azure MFA. When registering, they are presented with a list of methods available to them. Some users see email as a method for MFA authentication. We want to turn that method OFF for anyone registering. We also want to turn the "Office Phone" method off for anyone registering. I cannot find where these authentication methods can be enabled/disabled for all of our Azure users. How do I accomplish this? Why would one user see email as an MFA authentication method that they can use and other user would not?

Microsoft Security Microsoft Entra Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2020-11-07T01:36:10.237+00:00

    Hi @prunyan ,

    Right now you have to disable registration methods both in the MFA settings and in the SSPR settings. User do not have an option to register for MFA using email, but they can do SSPR with email. To disable email as a method for SSPR, you just need to go to Azure Active Directory > Password reset > uncheck email as an option.

    38064-sspr.jpg

    If you are using B2B you can manage users' MFA methods in the MFA settings.

    To enable or disable verification methods, complete the following steps:

    In the Azure portal, search for and select Azure Active Directory, then choose Users.
    Select Multi-Factor Authentication.
    Under Multi-Factor Authentication, select service settings.
    38039-image.png
    On the Service Settings page, under verification options, select/unselect the methods to provide to your users.

    38086-image.png

    Click Save.
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

    Right now there is no option to disable office phone registration, but this is something the product team is aware of and working on. There will be an option for this released soon, and you can track the feature request here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37147648-there-should-be-an-option-to-disable-office-phone

    Hope this helps!

    0 comments
  2. prunyan 1 Reputation point
    2020-11-26T17:57:58.46+00:00

    Thank you Marilee. I take that if we want to remove email as an Azure MFA authentication method available to our users, then we would uncheck the email box in your first screenshot above, yes? That sounds fine. Our setup matches your screenshots EXACTLY as shown above. I am still puzzled as to why there is a mismatch on the options on your first screenshot above and what users actually see in the MFA registration process. For instance, our users can still get to use a mobile app code with Microsoft Authenticator as an MFA method, yet our settings under the "Password Reset" options show "Mobile app code" as unchecked, just like your screenshot.

    0 comments
  3. Simon Burbery 691 Reputation points
    2021-09-02T12:15:44.027+00:00

    Okay this is how it works now - but I still see 'forced registration' occasionally even under these circumstances. Main thing is that you 'SHOULD' be using MS Auth App with MFA push notification as the 1st method, it is the most secure and phone / text may be deprecated soon so rather not have to change! And use group membership or geo-location to exclude objects from policies.

    1. If you are using Conditional Access policies and the user is 'affected' by one of the polices requiring MFA, they must regsiter for MFA during sign-in (full stop).
    2. Check the setting under Azure AD => User Settings => User Features. Check the 'Users can use the combined security information registration experience' setting. This should be enabled for all users (or a group of users for pilot) to enable the more user friendly experience (although as we know this will still result in 95% of users calling the helpdesk not knowing what to do... there is no 'fix' for that!! I feel MS have made it as friendly as possible now =) - consider pre-population for generic accounts like retail so they never have to register for or perform MFA.
    3. Click on Registration, set this to No (apparently should apply to newly created users only but I've definitely seen it affect existing users). This allows you to take the time to get users to register themselves.
    4. Upon enabling above setting, you now need to configure Password Reset as you show above. Use 2 methods, enable Auth App, Phone (if required), email and security questions (pick around 10 relevant one word answer questons).
    5. From Azure AD => Users, go to Per-user MFA (by the way dont configure any user settings here or you WILL have problems, this will be deprected soon)
    6. Click on 'service settings' at the top, uncheck the methods you do not want (you may want to match these to your selection in no.3 for ease-of-use. Dont worry about trusted IP here, use Conditional Access.
    7. Depending on your license level, go to Azure AD => Security => Identity Protection => MFA Registration policy. Set to the group you want to be prompted for MFA registration. Allows you to set up other accounts manually. Requires AD 2 plan.
    8. Now the most important part - wear your favorite undies, cross your fingers and toes and hope all goes well LOL =)
    9. I've definitely seen accounts excluded from all polices still be prompted to register which is obviously an issue at MS end. Hopefully they resolve that soon.

    Hope my default settings help someone!

    Cheers,
    Simon

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.