E-Mail option not available for MFA/SSPR

Yordan Yordanov 471 Reputation points
2020-05-05T13:16:20.423+00:00

I have the E-Mail authentication method enabled in Authentication Methods in Azure AD Password Reset and it is available when users try to register for SSPR/MFA using the combined registration experience. However, when I force users to register using the Azure AD Identity Protection MFA Registration Policy, the E-Mail option is not available, only the other enabled methods - mobile app and SMS. I thought the experience should be the same, no matter if users register by policy enforcement or voluntarily. Is this by design?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 119.6K Reputation points MVP Volunteer Moderator
    2020-05-05T13:36:43.51+00:00

    The experience is the same, as in the same UI/flow is used, but that doesn't mean the methods are the same. You cannot do MFA via email or via secret questions.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. abdelrahman omar amin ali 11 Reputation points
    2020-05-05T13:33:23.503+00:00

    Yes, this is by design

    1 person found this answer helpful.
    0 comments No comments

  2. Yordan Yordanov 471 Reputation points
    2020-05-05T14:14:43.537+00:00

    Good to know, thanks! Now when I think about it, it does make sense - the 2nd factor must be something that the user has, not another password/code coming from an e-mail.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.