Share via

Entra ID authentication Methods enable only FIDO and Authenticator, however, Global Admin continue seeing Phone and email

Sergio Londono 426 Reputation points
2024-06-03T13:57:20.67+00:00

Hello team,

I did the migration for authentication methods to only use Entra ID authentication methods.

User's image

User's image

User's image

However, Global admin continue seeing Phone and email as option for the verification method

User's image

For a regular user, this is correct, it only shows the AUthenticator as option because it is not elegible for FIDO2

User's image

It looks like the Entra ID authentication methods apply only for regular user and not for Global admins, or maybe for any other admin.

 

Questions:

Why for Global admin the other authentication methods email and phone are available?

If there is other kind  of admin, what would be his end-user experience, with email-phone or without email-phone respecting the configuration from Entra ID authentication methods?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,628 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 6,845 Reputation points Microsoft Vendor
    2024-06-05T08:34:06.09+00:00

    Hi @Sergio Londono

    Thank you for posting this in Microsoft Q&A.

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    Entra ID authentication Methods enable only FIDO and Authenticator, however, Global Admin continue seeing Phone and email.

    Solution:

    Any user with admins role will be in scope for SSPR "Administrator Policy"

    User's image

    I tried the article to remove administrator from this SSPR "administrator policy" I don't want admins has SMS or Phone call or email.

    https://learn.microsoft.com/en-ca/entra/identity/authentication/concept-sspr-policy?WT.mc_id=Portal-Microsoft_AAD_IAM#administrator-reset-policy-differencesUser's image

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information. If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Thanks,

    Navya.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments