Share via

Skip prompt for recovery phone number in MFA setup

Gopher4669 1 Reputation point
Aug 23, 2022, 10:25 AM

We want to enable MFA for all users in our organization and tested it with some users before. After they finish the setup of the authenticator app they are prompted to enter a phone number, in case they lose access to their mobile app. This is an issue since not all users have a company phone and we don't want to force them to use their private numbers.
Also, I think this is not necessary, since our admins can just reset MFA for a user. Is there a way to disable this part of the setup?

234023-2022-08-23-11-29-14-window.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,528 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. JimmySalian-2011 42,191 Reputation points
    Aug 23, 2022, 12:01 PM

    Hi,

    Thank you for asking this question on the Microsoft Q&A Platform.

    Yes you can set the MFA under Azure portal and please follow the steps to set the options.

    Azure Portal - All Services - Security - Authentication Methods

    aad.portal.azure.com

    Also follow the screenshots to enable - disable the settings as per your requirements.
    234064-authenticator.jpg234009-policy.jpg

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. JamesTran-MSFT 36,661 Reputation points Microsoft Employee
    Aug 23, 2022, 11:31 PM

    @Gopher4669
    Thank you for your post!

    I understand that you want to enable MFA for all of your users but even after registering the Microsoft Authenticator App as a form of MFA, users are also prompted to enter their phone numbers for SSPR purposes. When it comes to users having to enter their phone number, you should be able to disable registering for both if your tenant is enabled for Combined Registration.

    Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. With Combined Registration, users can register once and get the benefits of both Azure AD Multi-Factor Authentication and SSPR. Users who register or confirm their phone number or mobile app through the new experience can use them for Azure AD Multi-Factor Authentication and SSPR, if those methods are enabled in the Azure AD Multi-Factor Authentication and SSPR policies.

    For more info - Enable combined registration

    Additional Links:
    Combined Registration: Interrupt mode - This section details scenarios if you have both Multi-Factor Authentication and SSPR policies enabled for your tenant.
    Combined security information registration for Azure Active Directory overview
    Enable combined security information registration in Azure Active Directory
    Troubleshooting combined security information registration

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

  3. JimmySalian-2011 42,191 Reputation points
    Aug 25, 2022, 9:27 AM

    Hi,

    Have you tried the option of disabling the MFA - Phone settings under - portal.azure.com

    Configure
    Additional cloud-based multifactor authentication settings

    Also the Phone MFA can be configured or managed via the Authentication methods policy.

    Just to check if you managed to remove the preregistered MFA method for the users? Require Re-register MFA makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method.
    howto-mfa-userdevicesettings

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
    ----

    please don't forget to upvote and Accept as answer if the reply is helpful

    1 person found this answer helpful.

  4. BerganTech 5 Reputation points
    Aug 5, 2023, 12:51 AM

    For me this was set in the Conditional Access Policy to Require MFA for all Users. In the Grant section of the Policy, if it is set to "Require multifactor authentication" or "Require Authentication Strength" > "Multifactor authentication". Both of these require SMS so a phone is setup during registration. See below

    User's image

    To fix this a new Authentication Strength needed to be added. See the picture below for the settings I used. Be careful with this as you will nbeed to make sure one of the options is the one you are using or you may get locked out. I was using Passwordless MFA, for example, so if this is not checked I will not be able to log back in.

    User's image

    Finally, after saving the Authentication Strengths Method, the browser needs to be refreshed then the new authentication strength added to the Conditional Access Policy.

    User's image

    The result is below

    User's image

    User's image

    User's image

    User's image

    User's image

    User's image

    As you can see, no phone setup for a new user. There are other considerations like removing SMS from password recover, and setting up Authentication Methods under Security, but this was the main one the Authentication Strengths and in Conditional Access Policies that was main cause of always prompting for a phone number on MFA setup for me that I could not find elsewhere

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.