No, you cannot prevent them from managing their own MFA methods, best you can do is restrict which methods they can use.
Is there a way to prevent users from adding new MFA devices without assistance?
In our tenant, users can go to myaccount.microsoft.com, go to Security Info, and add a new sign in method, including a new device to receive SMS, etc. Is there a way to prevent users in our tenant from doing this? Ideally they would have to have someone on the service desk do this on their behalf. Thanks.
3 answers
Sort by: Most helpful
-
-
Rupert Murray 0 Reputation points
2023-11-24T11:29:40.5733333+00:00 Yes there is a way you can do this in Entra. reply back if you are still having the problem
-
Rupert Murray 0 Reputation points
2024-04-03T09:44:52.36+00:00 Here is what I do.
I create a MFA group on the AD. After I (or they) have registered their security keys or apps etc put them into this group
Then Create a policy in the conditional access area of entra.
I call mine block security entries. target resource = the group you have made
In target resources - Choose user actions and check the "Register Security Information "
In Access control - choose block access.
Sync the AD and if they are in the group they can't tamper - Hurrah :D
If you or they need future access - simply take them out of this group, sync. wait a few mins and you can access again under their credentials.