Microsoft Authenticator and User management Access

Question

I am the Admin for a company and am trying to understand how to fully utilize all the tools. I set up Microsoft Authenticator for myself. After adding users and creating their email, I sent them the temp passcode when they sign in to the account to reset their PW. My employee sent me a screen shot that it stated that "The Microsoft Authenticator states "your organization requires you to set up the following methods of providing who you are. I thought I only set that up for myself. How do you undo that? Can I set that up only for whom I choose to?

Answer 1

Hello @Closweetness

Thank you for reaching out to us.
The MFA can be enabled through 4 places below so you might have enabled MFA through any one of the options below please go through them in order to better understand the configuration process.

1. Using conditional Access: If you have used this option to enable MFA, make sure you have not included all users.
2. Per user MFA: If you want to enable MFA only for your account, you should consider using this option.
3. Security defaults: If you don’t want to enable MFA for all users, make sure it is not enabled.
4. Identity protections: If you have used this option to enable MFA, make sure you have not included all users.

Using Conditional Access: if you have enabled "The Microsoft Authenticator: through MFA by creating the Conditional Access policy then you can go to the same Conditional Access policy where you will be able to remove the users or groups that you don't want to enable Microsoft Authenticator please follow the steps below in order undo the changes or to properly configure the MFA for a set of users.

1. select Azure Active Directory, then choose Security from the menu on the left-hand side.
2. Select Conditional Access, and then choose + New Policy if you want to create a new policy or select the existing policy and modify it.
3. Remove the users that you don't want to enable MFA by going to the Users and groups section.

Please go to the below article where you will be able to find more information for configuring the conditions for multi-factor authentication https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa#create-a-conditional-access-policy

Per-User MFA: If you have enabled MFA on per user basis then you need to go to the Azure Active Directory - > All Users - > Multi-Factor Authentication and then select the users for which you want to enable or disable MFA. Please go through this link in order to find more information about configuring MFA Per-User https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Identity Protection: By Enabling MFA through this option you get the option to select all users in order to enable it please go to Azure Active Directory -> Security - > Identity Protection and then go to Sign-in risk policy enable the MFA. And then go to MFA Registration policy in order to select users. For more information on configuring MFA through Identity protection, you can go through this link https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies

Security Defaults: This option will enable MFA on all the users in order to enable it you need to go to Azure Active directory-> properties and then select Manage security default and select Yes in order to enable it please go through this link for more information about security defaults https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

In case you have any questions on the same, you can surely let us know and we will be happy to help you further. If this post provides you the answer you were looking for, do accept it as an answer in the interest of community members with similar queries. If this does not answer, please ask further in the comments and we will happy to address your concerns.

Thank you.