Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To protect customers from telephony-based abuse and fraud, Microsoft Entra ID applies intelligent detection and throttling mechanisms to all telecom-based authentication requests.
These protections use a combination of heuristics, machine learning models, and risk-based signals to detect and block potentially abusive or fraudulent telephony activity in real time.
In addition, some region codes require opt-in. Admins can submit a support request to enable telephony verification for these regions if needed.
Together, these safeguards help organizations defend against fraud while preserving a smooth authentication experience for legitimate users.
B2C tenants can follow the guidelines in B2C service limits.
Microsoft Entra External ID tenants can follow the guidelines in How to region code opt-in.
Behind-the-Scenes Protections
To combat telephony fraud, Microsoft Entra ID employs layered protections that assess each telephony transaction (SMS or voice call) using a combination of heuristics, risk signals, and machine learning models.
These protections help detect:
- Unusual call volumes or repeated attempts
- High-risk geographic or carrier patterns
- Known abusive behavior signals
- Abuse of free or metered phone number services
When a transaction is flagged as potentially abusive:
- The transaction may be throttled, preventing immediate delivery of the SMS or voice call.
- The user may see a "Sorry, we're having trouble verifying your account" message.
- The user can choose an alternative authentication method, such as using the Microsoft Authenticator app or another registered method.
New tenants are subject to additional safeguards to prevent abuse from newly created or compromised tenants. Specifically, telephony activity is throttled for the first few days after a tenant is created to limit excess telecom usage and reduce fraud exposure during this high-risk window.
Why This Protection Is Needed
In today's digital world, telecommunication services have become ingrained in our lives. However, advancements also come with increased risk of fraudulent activities. International Revenue Share Fraud (IRSF) is a threat with severe financial implications that can also degrade service reliability.
IRSF is a type of telephony fraud where criminals exploit the billing systems of telecommunication service providers to profit. Bad actors gain unauthorized access to a telecom network and divert traffic to premium rate numbers to skim profits from each transaction sent to those numbers. To drive traffic, bad actors may steal credentials, create new accounts, or exploit MFA workflows that send text messages or voice calls. This behavior results in excessive charges, unreliability, and service interruptions for customers.
Here’s how an IRSF attack typically works:
- A bad actor registers premium rate phone numbers.
- They use automated scripts to repeatedly request voice calls or text messages. In collaboration with telecom providers, they drive traffic to their numbers and skim a share of the profit.
- They rotate across region codes to evade detection and maximize profits.
The most common IRSF attack vector is through end-user MFA, which relies on text or voice calls. Bad actors exploit these mechanisms to funnel traffic to premium numbers, resulting in large-scale revenue skimming and potentially billions in losses.
IRSF poses a significant threat to online services and can cause reputational harm. Understanding the threat enables implementation of preventative measures like regional restrictions, rate limiting, and phone number verification.
Regions That Require Opt-In for MFA Telephony Verification
For SMS and voice verification, the following region codes require opt-in. If you want to enable telephony in these regions, you must submit a support request.
Note
We strongly recommend configuring more than one authentication method, with at least one being non-telecom-based.
Note
If a user previously received SMS or voice calls in a country but has stopped receiving them, throttling may be in effect. Retry after some time. If users in a tenant cannot receive SMS or voice calls in a specific country and that country is listed below, it may mean the tenant is not enabled for telecom authentication in that region. In such cases, we recommend using an alternative method to unblock the user. If telecom authentication is required and alternatives are unavailable, please open a support ticket.
Region Code | Region Name |
---|---|
Afghanistan | 93 |
Albania | 355 |
Algeria | 213 |
American Samoa | 1684 |
Andorra | 376 |
Angola | 244 |
Anguilla | 1264 |
Antarctica | 672 |
Antigua and Barbuda | 268 |
Antigua and Barbuda | 1268 |
Argentina | 54 |
Armenia | 374 |
Aruba | 297 |
Ascension Island | 247 |
Austria | 43 |
Azerbaijan | 994 |
Bahamas | 1242 |
Bahrain | 973 |
Bangladesh | 880 |
Barbados | 1246 |
Belarus | 375 |
Belgium | 32 |
Belize | 501 |
Benin | 229 |
Bermuda | 1441 |
Bhutan | 975 |
Bolivia | 591 |
Bosnia and Herzegovina | 387 |
Botswana | 267 |
Brazil | 55 |
British Indian Ocean Territory | 246 |
British Virgin Islands | 1284 |
Brunei | 673 |
Bulgaria | 359 |
Burkina Faso | 226 |
Burundi | 257 |
Cabo Verde | 238 |
Cambodia | 855 |
Cameroon | 237 |
Cayman Islands | 1345 |
Central African Republic | 236 |
Chad | 235 |
Chile | 56 |
China | 86 |
Colombia | 57 |
Comoros | 269 |
Congo | 242 |
Congo (DRC) | 243 |
Cook Islands | 682 |
Costa Rica | 506 |
Côte d'Ivoire | 225 |
Croatia | 385 |
Cuba | 53 |
Curaçao | 599 |
Cyprus | 357 |
Czech Republic | 420 |
Denmark | 45 |
Djibouti | 253 |
Dominica | 1767 |
Dominican Republic | 1809 |
Dominican Republic | 1849 |
Ecuador | 593 |
Egypt | 20 |
El Salvador | 503 |
Equatorial Guinea | 240 |
Eritrea | 291 |
Estonia | 372 |
Ethiopia | 251 |
Falkland Islands | 500 |
Faroe Islands | 298 |
Micronesia (Federated States) | 691 |
Fiji | 679 |
Finland | 358 |
French Guiana | 594 |
French Polynesia | 689 |
Gabon | 241 |
Gambia | 220 |
Georgia | 995 |
Germany | 49 |
Ghana | 233 |
Gibraltar | 350 |
Greece | 30 |
Greenland | 299 |
Grenada | 1473 |
Guam | 1671 |
Guatemala | 502 |
Guinea | 224 |
Guinea-Bissau | 245 |
Guyana | 592 |
Haiti | 509 |
Honduras | 504 |
Hong Kong SAR | 852 |
Hungary | 36 |
Iceland | 354 |
India | 91 |
Indonesia | 62 |
Iran | 98 |
Iraq | 964 |
Israel | 972 |
Italy | 39 |
Jamaica | 1658 |
Jamaica | 1876 |
Japan | 81 |
Jordan | 962 |
Kenya | 254 |
Kiribati | 686 |
Kosovo | 383 |
Kuwait | 965 |
Kyrgyzstan | 996 |
Laos | 856 |
Latvia | 371 |
Lebanon | 961 |
Lesotho | 266 |
Liberia | 231 |
Libya | 218 |
Liechtenstein | 423 |
Lithuania | 370 |
Luxembourg | 352 |
Macao SAR | 853 |
Madagascar | 261 |
Malawi | 265 |
Malaysia | 60 |
Maldives | 960 |
Mali | 223 |
Malta | 356 |
Marshall Islands | 692 |
Martinique | 596 |
Mauritania | 222 |
Mauritius | 230 |
Mayotte | 262 |
Mexico | 52 |
Micronesia | 691 |
Moldova | 373 |
Monaco | 377 |
Mongolia | 976 |
Montenegro | 382 |
Montserrat | 1664 |
Morocco | 212 |
Mozambique | 258 |
Myanmar | 95 |
Namibia | 264 |
Nauru | 674 |
Nepal | 977 |
Netherlands | 31 |
New Caledonia | 687 |
New Zealand | 64 |
Nicaragua | 505 |
Niger | 227 |
Nigeria | 234 |
Niue | 683 |
North Korea | 850 |
North Macedonia | 389 |
Northern Mariana Islands | 1670 |
Norway | 47 |
Oman | 968 |
Pakistan | 92 |
Palau | 680 |
Palestinian Territories | 970 |
Panama | 507 |
Papua New Guinea | 675 |
Paraguay | 595 |
Peru | 51 |
Philippines | 63 |
Poland | 48 |
Portugal | 351 |
Puerto Rico | 1787 |
Puerto Rico | 1939 |
Qatar | 974 |
Republic of Ireland | 353 |
Romania | 40 |
Russia | 7 |
Rwanda | 250 |
Saint Barthélemy, Saint Martin, Guadeloupe | 590 |
Saint Helena, Ascension, Tristan da Cunha | 290 |
Saint Kitts and Nevis | 1869 |
Saint Lucia | 1758 |
Saint Pierre and Miquelon | 508 |
Saint Vincent and the Grenadines | 1784 |
Samoa | 685 |
San Marino | 378 |
São Tomé and Príncipe | 239 |
Saudi Arabia | 966 |
Senegal | 221 |
Serbia | 381 |
Seychelles | 248 |
Sierra Leone | 232 |
Singapore | 65 |
Sint Maarten | 1721 |
Slovakia | 421 |
Slovenia | 386 |
Solomon Islands | 677 |
Somalia | 252 |
South Africa | 27 |
South Korea | 82 |
South Sudan | 211 |
Sri Lanka | 94 |
Sudan | 249 |
Suriname | 597 |
Sweden | 46 |
Switzerland | 41 |
Syria | 963 |
Taiwan | 886 |
Tajikistan | 992 |
Tanzania | 255 |
Thailand | 66 |
Timor-Leste | 670 |
Togo | 228 |
Tokelau | 690 |
Tonga | 676 |
Trinidad and Tobago | 1868 |
Tunisia | 216 |
Türkiye | 90 |
Turkmenistan | 993 |
Turks and Caicos Islands | 1649 |
Tuvalu | 688 |
Uganda | 256 |
Ukraine | 380 |
United Arab Emirates | 971 |
United Kingdom | 44 |
United States Virgin Islands | 1340 |
Uruguay | 598 |
Uzbekistan | 998 |
Vanuatu | 678 |
Venezuela | 58 |
Vietnam | 84 |
Wallis and Futuna | 681 |
Yemen | 967 |
Zambia | 260 |
Zimbabwe | 263 |
France | 33 |
Spain | 34 |
Australia | 61 |
The Dominican Republic | 1829 |