Microsoft Authenticator and User management Access

Closweetness 1 Reputation point
2020-12-15T08:12:36.203+00:00

I am the Admin for a company and am trying to understand how to fully utilize all the tools. I set up Microsoft Authenticator for myself. After adding users and creating their email, I sent them the temp passcode when they sign in to the account to reset their PW. My employee sent me a screen shot that it stated that "The Microsoft Authenticator states "your organization requires you to set up the following methods of providing who you are. I thought I only set that up for myself. How do you undo that? Can I set that up only for whom I choose to?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,664 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,853 questions
{count} votes

1 answer

Sort by: Most helpful
  1. mirba-msft 651 Reputation points Microsoft Employee
    2020-12-15T13:12:14.497+00:00

    Hello @Closweetness

    Thank you for reaching out to us.
    The MFA can be enabled through 4 places below so you might have enabled MFA through any one of the options below please go through them in order to better understand the configuration process.

    1. Using conditional Access: If you have used this option to enable MFA, make sure you have not included all users.
    2. Per user MFA: If you want to enable MFA only for your account, you should consider using this option.
    3. Security defaults: If you don’t want to enable MFA for all users, make sure it is not enabled.
    4. Identity protections: If you have used this option to enable MFA, make sure you have not included all users.

    Using Conditional Access: if you have enabled "The Microsoft Authenticator: through MFA by creating the Conditional Access policy then you can go to the same Conditional Access policy where you will be able to remove the users or groups that you don't want to enable Microsoft Authenticator please follow the steps below in order undo the changes or to properly configure the MFA for a set of users.

    1. select Azure Active Directory, then choose Security from the menu on the left-hand side.
    2. Select Conditional Access, and then choose + New Policy if you want to create a new policy or select the existing policy and modify it.
    3. Remove the users that you don't want to enable MFA by going to the Users and groups section.

    48392-image.png

    Please go to the below article where you will be able to find more information for configuring the conditions for multi-factor authentication https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa#create-a-conditional-access-policy

    Per-User MFA: If you have enabled MFA on per user basis then you need to go to the Azure Active Directory - > All Users - > Multi-Factor Authentication and then select the users for which you want to enable or disable MFA. Please go through this link in order to find more information about configuring MFA Per-User https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

    48375-image.png
    48308-image.png

    Identity Protection: By Enabling MFA through this option you get the option to select all users in order to enable it please go to Azure Active Directory -> Security - > Identity Protection and then go to Sign-in risk policy enable the MFA. And then go to MFA Registration policy in order to select users. For more information on configuring MFA through Identity protection, you can go through this link https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies

    48376-image.png
    48309-image.png

    Security Defaults: This option will enable MFA on all the users in order to enable it you need to go to Azure Active directory-> properties and then select Manage security default and select Yes in order to enable it please go through this link for more information about security defaults https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

    48350-image.png

    In case you have any questions on the same, you can surely let us know and we will be happy to help you further. If this post provides you the answer you were looking for, do accept it as an answer in the interest of community members with similar queries. If this does not answer, please ask further in the comments and we will happy to address your concerns.

    Thank you.

    3 people found this answer helpful.
    0 comments No comments