How do I enable Microsoft Authenticator App WIth Conditional Access

asked 2020-08-26T23:47:52.96+00:00
DP 1 Reputation point

Performed steps described at: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
But not able to use Microsoft Authenticator app for MFA despite the app appearing in the screenshots.

When logging in with a test user (with Microsoft 365 E3 license), the only option is to enter a phone number and verify via SMS or Call

Conditional Access Grant Settings:

20682-image.png

MFA Methods Settings:
20644-image.png

MFA Service settings:
20701-image.png

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,588 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. answered 2020-08-27T06:14:24.603+00:00
    Vasil Michev 61,461 Reputation points Microsoft MVP

    You are confusing the primary authentication methods (second picture) and the MFA methods. In your scenario, the user itself needs to configure the authenticator app first, via https://aka.ms/setupsecurityinfo

    No comments

  2. answered 2020-08-27T20:24:03.773+00:00
    DP 1 Reputation point

    I provided the screenshots to make sure I'm not missing a setting somewhere.

    In what scenario can we force the user (or at least give the option) to use the Authenticator app during initial login?

    In the tutorial: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa, there is no prerequisite to:

    1. Login with a test user,
    2. Activate MFA with test user.

    Is it not possible to force MFA registration on first login, or any subsequent login for that matter? What's the point of MFA if we can't enforce it and users can simply use SMS for MFA? Each time I logged in with the test user to the resource with the Conditional Access policy, it required MFA auth, with the only options being SMS and call. (I understand that the app will show up as an option after it's been configured, but I want to force the user to configure and use it instead of SMS).

    No comments

  3. answered 2020-08-28T07:41:06.403+00:00
    AmanpreetSingh-MSFT 55,191 Reputation points

    Hello @DP

    If you select all options on MFA Service Settings page, users can select any of the method as their preferred method.
    21058-image.png

    To force the users to use Authenticator App, you need to select only the last two options:

    • Notification through mobile app
    • Verification code from mobile app or hardware token

    If a new user tries to access a resource which is protected with MFA via CA Policy, he will be asked to register for MFA first and he will get the option to use only the Authenticator App for MFA. However, users who have already setup MFA via Phone Call or Text Message, they will not be forced to register for MFA again. They will continue to use the existing method.

    If you want to force already registered users to register again, you need to clear the StrongAuthenticationRequirements attribute by using below cmdlet:

    • Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements @()
    • Get-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com | fl strong*

    To reset MFA method for all users in the tenant, run:

    • Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements @()

    You can also export users to a csv file and run the command with foreach loop, if you want to clear this attribute for limited users.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.