I don't want Phone and App password as second factor when registering MFA

Question

I don't want Phone and App password as second factor when registering MFA

Alex Wilber 0

I don't want my current users and the new created users setting up the Phone and App password as the second factor when registering for MFA.

I want the method 1 is app and method 2 is Email

Screenshot 2024-02-25 at 21.14.16

What I have done:

service settings > verification options: select Notification through mobile app / Verification code from mobile app or hardware token
security > authentication methods: enable all, but not SMS method
password reset >
- registration: select No
- authentication methods: select Mobile app code / Email

Can anyone please help me what I am missing here? Thank you so much.

1 answer

Your answer

Answer 1

Navya 16,455 Microsoft External Staff

Hi @Alex Wilber

Thank you for posting this in Microsoft Q&A.

I understand your concern that you don't want Phone and App password as second factor when registering MFA and want the method 1 is app and method 2 is Email.

You can use Authenticator App is for two factor authentication and password reset authentication. The email method is not suitable for two-factor authentication, only password reset is supported.

User's image

If you are using Legacy MFA follow below steps:

Security > Multifactor authentication > Additional cloud-based multifactor authentication settings > Verification options > Select Notification through mobile app and another option.

Password reset:

1.Need to select users for SSPR.

Protection > Password reset > Properties page, under the option Self-service password reset enabled, choose users according to your requirement.

2.Select authentication methods.

Password reset > Authentication methods > select two methods i.e. app and email.

For your reference: self-service password reset

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya

Alex Wilber 0 Reputation points

2024-02-27T19:46:52.9433333+00:00

Hi Navya,Thank you for your response. I have set all the settings as above mentioned and still requiring to register the Phone as second factor authentication. Is there any where I should check the settings in this issue?
Navya 16,455 Reputation points Microsoft External Staff

2024-02-28T05:55:45.5666667+00:00
Hi @Alex Wilber

Thank you for sharing the issue. It will help me understand it better.

Basically, the registration process checks the pattern below.

1.Authentication method policy: If user is enabled for App and another method (Email is not suitable for two factor authentication need to choose another method), the user can register for app and other method.

2.Legacy MFA policy: If not, the registration process checks the legacy MFA policy. To register Microsoft Authenticator if one of these settings is enabled for MFA:

Notification through mobile app

Verification code from mobile app or hardware token

3.Legacy SSPR policy: If the user can't register Microsoft Authenticator based on either of those policies, the registration process checks the legacy SSPR policy.

Security > authentication methods: enable all, but not SMS method.

I understood you have enabled All authentication methods except SMS method.

Make sure to select only two methods: method 1 is app and method 2 is Email. Can you verify that you have enabled voice call settings in the authentication methods? It might ask for a phone as a second factor of authentication.

For your reference: Manage authentication methods for Microsoft Entra ID

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.
Navya 16,455 Reputation points Microsoft External Staff

2024-03-01T10:49:51.02+00:00

Hi @Alex Wilber

I wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Alex Wilber 0 Reputation points

2024-03-02T15:16:23.3533333+00:00

Hi Navya,

Thanks for your all helpful info.

I have figured it out that we are unable to change the second-factor authentication since the account is admin, the two-gate password reset policy.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy

We will try to configure on the test user again.

Thank you for your help!

Share via

I don't want Phone and App password as second factor when registering MFA

1 answer

Your answer