question

TaraldJohansen-5299 avatar image
0 Votes"
TaraldJohansen-5299 asked amanpreetsingh-msft commented

Setting only one required Authentication Method in Azure MFA

Hi everyone,

I'm setting up MFA for our cloud-based Azure AD / Office 365 environment, and have setup a Conditonal Access Policy to enable MFA for cloud applications outside of the organisations internal networks.

I have enabled ONLY text message as an authentication method, but when I then try to login to a user outside the network to prompt activating the MFA, I first need to enter a phone number (as intended) but also a second method using the Microsoft Authenticator app (which is a disabled method).

Is it possible to configure MFA so that when a user is prompted to setup MFA, they will only need to add the one enabled method being code by text and have the second option completely removed?

I do not wish to use the Authenticator App, and emails are not an option as we do not want our users to receive access codes to their personal emails since it is not allowed to enter an email within the organisation itself.

Thank you in advance.

azure-ad-multi-factor-authenticationazure-ad-domain-servicesazure-ad-authentication-protocols
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @TaraldJohansen-5299 • Thank you for reaching out.

I suspect that you are required to provide 2 authentication methods because of SSPR. When you hit the Next button on the "More Information Required" page, it is checked that whether SSPR is enabled for the user account or not. If SSPR is enabled, the user will have to provide Authentication Method for both MFA and SSPR, refer to below flow chart:

146877-image.png

To change the number of methods required for SSPR, navigate to Azure AD > Password Reset > Authentication Methods and make sure Mobile app notification/code is unchecked.

146810-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (117.3 KiB)
image.png (20.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes this does seem to have solved the issue. Now it looks properly configured and users only get one method when setting up MFA.

Thank you very much for a straight forward and very easy to understand answer. Pictures were much appreciated and the flow chart was very good to look at.

Marked as accepted answer.

0 Votes 0 ·

@TaraldJohansen-5299 · Thank you for the confirmation and the feedback.

0 Votes 0 ·
michev avatar image
0 Votes"
michev answered

Have you checked the methods configured for SSPR (https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/AuthenticationMethods), as the registration process is now unified between the two.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.