How do I enable Microsoft Authenticator App WIth Conditional Access

DP 1 Reputation point
2020-08-26T23:47:52.96+00:00

Performed steps described at: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
But not able to use Microsoft Authenticator app for MFA despite the app appearing in the screenshots.

When logging in with a test user (with Microsoft 365 E3 license), the only option is to enter a phone number and verify via SMS or Call

Conditional Access Grant Settings:

20682-image.png

MFA Methods Settings:
20644-image.png

MFA Service settings:
20701-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,102 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Vasil Michev 92,596 Reputation points MVP
    2020-08-27T06:14:24.603+00:00

    You are confusing the primary authentication methods (second picture) and the MFA methods. In your scenario, the user itself needs to configure the authenticator app first, via https://aka.ms/setupsecurityinfo

    0 comments No comments

  2. DP 1 Reputation point
    2020-08-27T20:24:03.773+00:00

    I provided the screenshots to make sure I'm not missing a setting somewhere.

    In what scenario can we force the user (or at least give the option) to use the Authenticator app during initial login?

    In the tutorial: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa, there is no prerequisite to:

    1. Login with a test user,
    2. Activate MFA with test user.

    Is it not possible to force MFA registration on first login, or any subsequent login for that matter? What's the point of MFA if we can't enforce it and users can simply use SMS for MFA? Each time I logged in with the test user to the resource with the Conditional Access policy, it required MFA auth, with the only options being SMS and call. (I understand that the app will show up as an option after it's been configured, but I want to force the user to configure and use it instead of SMS).

    0 comments No comments

  3. AmanpreetSingh-MSFT 56,286 Reputation points
    2020-08-28T07:41:06.403+00:00

    Hello @DP

    If you select all options on MFA Service Settings page, users can select any of the method as their preferred method.
    21058-image.png

    To force the users to use Authenticator App, you need to select only the last two options:

    • Notification through mobile app
    • Verification code from mobile app or hardware token

    If a new user tries to access a resource which is protected with MFA via CA Policy, he will be asked to register for MFA first and he will get the option to use only the Authenticator App for MFA. However, users who have already setup MFA via Phone Call or Text Message, they will not be forced to register for MFA again. They will continue to use the existing method.

    If you want to force already registered users to register again, you need to clear the StrongAuthenticationRequirements attribute by using below cmdlet:

    • Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements @()
    • Get-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com | fl strong*

    To reset MFA method for all users in the tenant, run:

    • Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements @()

    You can also export users to a csv file and run the command with foreach loop, if you want to clear this attribute for limited users.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.