Disable Microsoft Authenticator registration for users in a trusted network

Cataldo Ferrante 20 Reputation points

Hi everyone,

I set up a conditional access policy in which my users are not prompted for MFA with Microsoft Authenticator when login in a trusted network, meanwhile when they try to access cloud apps (such as Outlook, Teams and so on..) from an external, non-trusted network, they have to use Microsoft Authenticator to complete login procedure.

Everything worked fine until some users are prompted for Authenticator registration even when they are in a trusted network, and I do not want that this users are even prompted for Microsoft Authenticator registration, completing the login procedure with just email + password.

How can I achieve this goal? I just need to disable Registration Campaign?

If you have some workarounds, please feel free to suggest me them.

Thank you in advance.


Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,112 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,594 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 16,691 Reputation points Microsoft Employee

    @Cataldo Ferrante

    Thank you for posting this in Microsoft Q&A.

    As I understand some users in your organization are getting prompted to register MFA in authenticator app. These users doesn't fall under any of the CA policy to prompt for MFA.

    Also, since CA policies are configured, security defaults is out of questions.

    All you can check is below features,

    • Check authentication methods tab inside one of the user properties in Entra portal and confirm if these users have not registered for any MFA methods. If these users have already registered for Phone SMS or voice MFA then registration campaign is the feature that you can check to confirm if it is enabled.
    • Check registration campaign and confirm if it is disabled or enabled. If it is enabled then you can exclude few users who were prompted for MFA and check if the issue still persists.

    Follow steps to check registration campaign,

    1. Login to https://entra.microsoft.com/ using global administrator credentials.
    2. Click on Protection blade on the left pane and then select "Authentication methods".
    3. Click on registration campaign and Edit button on the top.

    User's image

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful