MFA - Using alternative email address to verify identity

Nicola Swan 26 Reputation points
2021-01-19T10:22:40.237+00:00

Hi Everyone

Our organisation is in the process of rolling out MFA across all users, and our testing phase is coming to a close so we'll be pushing everyone to sign up within the next couple of months.

One of our concerns is that if a user leaves their phone at home and needs to sign in using a method other than the Authenticator app or a code via text, there doesn't seem to be an option aside from "turn MFA off for the user" to allow them to log in and work.

We require everyone to add an alternative email address to use MFA and SSPR in the organisation. Is there a way to use this email to receive a code to allow login? We don't have an on-premise phone system that would allow code delivery so this isn't an option unfortunately. Turning off extra security really isn't an option and can be abused repeatedly.

Any guidance or alternatives would would greatly appreciated :)

Many thanks, Nicola

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,444 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2021-01-19T23:35:48.727+00:00

    @Nicola Swan
    Thank you for your post!

    Unfortunately, the only forms of verification that can be used with Azure AD Multi-Factor Authentication (AzureAD MFA), is MS Authenticator App, OATH token, SMS, or Voice call. For more info.

    You can also see this listed within "aka.ms/mfasetup"
    58351-image.png

    An alternative could be Windows Hello for Business, however, if you have any questions regarding Windows Hello, I'd recommend reaching out to our experts via the Windows Hello Community Forums.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. craftyDave 6 Reputation points
    2021-09-21T11:38:21.647+00:00

    I think this would be a useful option for a lot of organisations- I've been leading a rollout of MFA in mine and have had a small number of users who are reluctant to use their personal devices for MFA. If we could give them the option of creating an email address solely for this purpose with a free email provider it would give us an option to these people. We don't want to 'force' them to use their own devices, though that seems to be the only option left.

    1 person found this answer helpful.