Unable to verify identity via Microsoft Authenticator after SSPR migration

Question

Hello,

Some of our users experiencing problems after recent migration to new Entra ID policies, then don't see Microsoft Authenticator as valid option and only see phone / sms option.

Answer 1

Hello @Orkhan Zulfugarov,

Thank you for connecting offline to discuss this issue.

Based on our discussion, we understand that some users in your tenant are unable to add the Microsoft Authenticator app as an MFA method. They are only seeing options such as SMS, voice call, and passkey, but not Microsoft Authenticator.

Cause: We observed that the migration from legacy to modern authentication methods is marked as completed. However, it appears that the legacy verification options and password reset authentication methods were not unchecked prior to the migration. As a result, legacy policies are still in effect, preventing users from seeing the Microsoft Authenticator option when attempting to register a new method.

Solution: We followed the guidance outlined in the official documentation to update the authentication method settings. Specifically, we reverted the migration status to In-progress, unchecked all legacy verification and password reset authentication options, and then completed the migration again.

These changes should now ensure that users are presented with the Microsoft Authenticator app as an available method for MFA registration.

How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".