You are confusing the primary authentication methods (second picture) and the MFA methods. In your scenario, the user itself needs to configure the authenticator app first, via https://aka.ms/setupsecurityinfo
How do I enable Microsoft Authenticator App WIth Conditional Access
Performed steps described at: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
But not able to use Microsoft Authenticator app for MFA despite the app appearing in the screenshots.
When logging in with a test user (with Microsoft 365 E3 license), the only option is to enter a phone number and verify via SMS or Call
Conditional Access Grant Settings:
MFA Methods Settings:
MFA Service settings:
3 answers
Sort by: Most helpful
-
-
DP 1 Reputation point
2020-08-27T20:24:03.773+00:00 I provided the screenshots to make sure I'm not missing a setting somewhere.
In what scenario can we force the user (or at least give the option) to use the Authenticator app during initial login?
In the tutorial: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa, there is no prerequisite to:
- Login with a test user,
- Activate MFA with test user.
Is it not possible to force MFA registration on first login, or any subsequent login for that matter? What's the point of MFA if we can't enforce it and users can simply use SMS for MFA? Each time I logged in with the test user to the resource with the Conditional Access policy, it required MFA auth, with the only options being SMS and call. (I understand that the app will show up as an option after it's been configured, but I want to force the user to configure and use it instead of SMS).
-
AmanpreetSingh-MSFT 56,286 Reputation points
2020-08-28T07:41:06.403+00:00 Hello @DP
If you select all options on MFA Service Settings page, users can select any of the method as their preferred method.
To force the users to use Authenticator App, you need to select only the last two options:
- Notification through mobile app
- Verification code from mobile app or hardware token
If a new user tries to access a resource which is protected with MFA via CA Policy, he will be asked to register for MFA first and he will get the option to use only the Authenticator App for MFA. However, users who have already setup MFA via Phone Call or Text Message, they will not be forced to register for MFA again. They will continue to use the existing method.
If you want to force already registered users to register again, you need to clear the StrongAuthenticationRequirements attribute by using below cmdlet:
- Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationRequirements @()
- Get-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com | fl strong*
To reset MFA method for all users in the tenant, run:
- Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements @()
You can also export users to a csv file and run the command with foreach loop, if you want to clear this attribute for limited users.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.