If you select all options on MFA Service Settings page, users can select any of the method as their preferred method.
To force the users to use Authenticator App, you need to select only the last two options:
- Notification through mobile app
- Verification code from mobile app or hardware token
If a new user tries to access a resource which is protected with MFA via CA Policy, he will be asked to register for MFA first and he will get the option to use only the Authenticator App for MFA. However, users who have already setup MFA via Phone Call or Text Message, they will not be forced to register for MFA again. They will continue to use the existing method.
If you want to force already registered users to register again, you need to clear the StrongAuthenticationRequirements attribute by using below cmdlet:
- Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements @()
- Get-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com | fl strong*
To reset MFA method for all users in the tenant, run:
- Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements @()
You can also export users to a csv file and run the command with foreach loop, if you want to clear this attribute for limited users.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.