Authenticator App Being Forced

Question

Last week I was made aware of this message some accounts were receiving upon login. We have MFA enabled for majority of accounts, but there are some that are not enrolled for various reasons. Now, even though MFA is disabled for the account, this message appears. After opening a support ticket with Microsoft, it seems the only way to satisfy this requirement is to enter a phone or email under Authentication Methods for each account in Entra admin, or purchase a Entra P1 license to enable Conditional Access. https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview Microsoft has created the problem to sell the solution. The biggest problem for me is that our European headquarters shares the same tenant with us, but they did not have MFA enrolled so now they are being forced to very quickly find a solution so their users are not locked out. This also creates a problem where because of GDPR, they can refuse to enter their personal phone or email. Does anyone know another way around this? I have disabled security defaults, I do not have an active registration campaign.

Answer 1

@Paul Barber

Thank you for posting this in Microsoft Q&A.

Unexpected MFA registration can happen due to 3 reasons.

• Security Defaults: Someone might have enabled security defaults in your tenant. There are some basic controls that security defaults enforces, 1.      Requiring all users to register for multifactor authentication 2.      Requiring administrators to do multifactor authentication 3.      Requiring users to do multifactor authentication when necessary 4.      Blocking legacy authentication protocols 5.      Protecting privileged activities like access to the Azure portal

Out of the basic controls in security defaults, the first option "Requiring all users to register for multifactor authentication" requires all users to register for MFA.

This doesn't mean that all users will be prompted for MFA. MFA will be only prompted only where Entra sees any abnormality in sign-in, it will prompt for MFA.

If you do not want the MFA registration prompts for all users, then you can disable security defaults by logging in to Entra ID portal using Global admin credentials, and then browse to Identity>>Overview>>Properties and Manage security defaults. Disable security defaults.

• Registration campaign: The purpose of Microsoft launching registration campaign is to help organization users move away from SMS and Voice authentications.

With this registration campaign users in your organization who are relying on SMS and voice for MFA will be prompted to use the Microsoft Authenticator app.

This means this program will get applied to only those users who are using SMS and Voice method for MFA.

If you disable the registration campaign, then there will be NO IMPACT of users who have already registered for authenticator app.

Users will still be prompted for MFA depending on what authentication method you have assigned to them for registration or what method they have used while MFA registration initially.

• Conditional access: Conditional Access is Microsoft's Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions. Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access. You can check your conditional access policy that are created and make sure the the impacted users are not part of any CA policy which requires MFA for access the resources. Let me know if you have any further questions. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.