![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
152 questions
Hello
Thanks for posting in Microsoft Community.
It sounds like you're trying to configure Azure MFA in a way that users receive SMS codes for multi-factor authentication (MFA) without being prompted to install the Authenticator app. The message about “3 skips” usually appears when users attempt to skip the MFA challenge a few times, and Azure AD or Entra ID encourages them to set up the Authenticator app as a primary method.
- Ensure MFA with SMS is Enabled as the Primary Method
You need to ensure that SMS-based MFA is configured as the primary method, so users can authenticate using SMS without needing the Authenticator app.
Follow these steps:
1.1. Configure MFA in Entra ID (Azure AD):
Go to the Azure portal ( https://portal.azure.com).
Navigate to Azure Active Directory > Security > Multi-Factor Authentication.
Under Multi-Factor Authentication, select Additional cloud-based MFA settings.
On the MFA Settings page, ensure that the SMS option is enabled as a method.
1.2. Set up Authentication Methods in Entra ID:
In Azure AD (or Entra ID), go to Security > Authentication methods.
Under Methods (such as Phone), make sure that SMS-based authentication is set up and enabled.
Configure the Verification options to prioritize SMS as a method.
- Disable the "Authenticator App" Requirement:
The message saying "you must install the Authenticator app" often comes up because Azure AD has a recommendation for users to use the Authenticator app for security and usability reasons. You can suppress or reduce this prompt by configuring the following:
2.1. Disable the "Authenticator App" Requirement for MFA:
To prevent users from seeing the prompt to install the Authenticator app, you can disable the Authenticator app enrollment in Entra ID by following these steps:
Go to the Azure portal > Azure Active Directory > Security > Authentication methods.
Under Methods, look for Microsoft Authenticator and Phone (or other MFA methods).
For Microsoft Authenticator, you can disable the app for registration to prevent users from being asked to set it up.
Disable the Authenticator App for MFA: Ensure that only SMS, Voice, or other methods are enabled. If you disable the Authenticator app, users will only be prompted for the SMS method.
2.2. Disable "Skip MFA" Feature:
In some scenarios, users are prompted with a message that allows them to "skip" MFA if they haven't set up any MFA method. To prevent users from bypassing MFA entirely:
Go to Azure Active Directory > Security > Conditional Access.
Create or edit an MFA policy to ensure that MFA is always required for all users or specific groups.
Under the MFA settings section, ensure that skipping MFA challenges is not allowed or restricted.
- Review Conditional Access Policies:
If you have any Conditional Access policies in place, double-check to make sure that they are not enforcing the use of the Authenticator app for some users.
Go to Azure Active Directory > Security > Conditional Access.
Review and adjust policies to allow SMS-based MFA for all users, and make sure no policies are requiring the Authenticator app.
I hope the above information is helpful to you.
Best regards
Runjie Zhai